Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, Jan 16, 2015 at 1:19 PM, Brian Smith <brian@xxxxxxxxxxxxxx> wrote:
Adam Langley <agl@xxxxxxxxxx> wrote:
> On Fri, Jan 16, 2015 at 12:03 PM, Hanno Böck <hanno@xxxxxxxxx> wrote:
>> Recently Mozilla has disabled the now so-called protocol dance, which
>> makes adding another workaround (SCSV) pretty much obsolete:
>
> Until they add TLS 1.3 support, when they'll need it again.

I don't think so, because we can change the way versions are
negotiated for TLS 1.3, so that the issue doesn't arise. In
particular, we can keep ClientHello.client_version as 0x0303 (TLS 1.2)
and negotiate TLS 1.3 with an extension.

Also, the rate of TLS 1.3 intolerance might be significantly lower
than projected. Ivan's numbers are based on a ClientHello with 0x0304
(TLS 1.3) as the record-layer version number. We know from past
experience working on NSS that 0x0301 (TLS 1.0) is a more compatible
record-layer version number. I think it was established that many
servers work fine when ClientHello.client_version = 0x0304 (TLS 1.3)
as long as the record-layer version number is 0x0301 (TLS 1.0) but
break when then record-layer vsion is 0x0304 (TLS 1.3). We'll need to
measure this in a more definitive way, but there's reason to be
optimistic.

Thanks for the detail. I've been planning to run some experiments using
Firefox Telemetry, but haven't gotten around to them yet. More when
I have them.

-Ekr
 
 
Cheers,
Brian



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]