Re: [TLS] Metadiscussion on changes in draft-ietf-tls-renegotiation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stefan Santesson wrote:
> 
> I totally agree in principle. However, if a renegotiating client sends a
> full RI extension with valid data AND the client also sends SCSV, then what
> security problem is introduced by allowing the renegotiation (i.e. Not
> aborting)
> 
> No matter how hard I try, I can't find the security problem and I can't find
> the interoperability advantage.
>
> Hence, the "MUST abort" requirement seems like an unmotivated restriction.
> I'm not saying that we have to change the current draft, I'm just curious to
> understand the real benefits of this requirement.

In a sense it allows a consistent definition of the semantics of SCSV:
The presence of SCSV is equivalent to an empty RI extension. Under such
a definition, the presence of multiple conflicting RIs (especially an
empty RI during a renegotiation) is clearly an abort-able offense!

This "permitted, though NOT RECOMMENDED" practice of sending SCSV during
insecure renegotiation can be (charitably) thought of as not changing
the semantics of SCSV, but instead being a sneaky manipulation in order
to probe the target server to double check that he's still not upgraded.
 This probably does not add any real security (MitM could just drop the
RI from the Server Hello and the client might not be able to detect it
until after he sent his Finished message). Seems like implementations
wishing to use this kind of trickery could do so without it having been
explicitly permitted by the spec.

> Again, based on what I have seen, I would not be surprised.
> I don't think being accountable to the market is a very strong threat

Seriously, got anything better in mind? Security researchers dropping
0-days maybe?

> if a
> safe adjustment to a more liberal processing helps customers to avoid
> interop problems while maintaining the security of the protocol.
> 
> Hence, if there IS a security threat that motivates this, then it is
> extremely important to spell it out in the clear.

At one time some there seemed to be some ambiguity in the specs (or at
least some interpreted it that way) as to whether or not extension data
on the Hellos was actually to included in calculations for the Finished
message verify_data. Perhaps some vendors included it and some did not,
and no one noticed at the time because there were no extensions defined.
I vaguely recall somebody suggesting on this list that (for
interoperability of course) some implementation calculated the
verify_data both ways and accepted either one that matched.

If this is in fact the case, it seems plausible that there might be
implementations (of older specs like SSLv3) out there for which
extension data can be dropped or changed by MitM.

I wonder if considerations for these systems has anything to do with it?

- Marsh
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]