Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

On Fri, 2016-06-03 at 00:17 -0400, Dave Garrett wrote: > Allrighty then; time to dust off and rebase an old changeset I was > fiddling with last year on this topic: > https://github.com/davegarrett/tls13-spec/commit/058ff1518508b094b8c9 > f1bd4096be9393f20076 > (I cleaned up a bit when rebasing, bu

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

I strongly support this proposal. Best, Xiaoyin From: Dave Garrett Sent: Friday, June 3, 2016 12:17 To: tls@ietf.org Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time] Allrighty then; time to dust

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

Allrighty then; time to dust off and rebase an old changeset I was fiddling with last year on this topic: https://github.com/davegarrett/tls13-spec/commit/058ff1518508b094b8c9f1bd4096be9393f20076 (I cleaned up a bit when rebasing, but it probably needs some work; was just a WIP branch, never a PR

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

On 3 June 2016 at 01:07, David Benjamin wrote: > But reality is what it is. The Law of the Internet is the last thing that > changed is blamed. We have a limited "budget" we can spend breaking things > (otherwise I'd have removed almost everything by now!) and there is no > chance I can break all

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

On Thursday 02 June 2016 15:22:03 David Benjamin wrote: > On Thu, Jun 2, 2016 at 11:07 AM David Benjamin > wrote: > > On Thu, Jun 2, 2016 at 6:43 AM Hubert Kario wrote: > >> On Thursday 02 June 2016 11:39:20 Yoav Nir wrote: > >> > > On 2 Jun 2016, at 10:31 AM, Nikos Mavrogiannopoulos > >> > > w

Re: [TLS] Downgrade protection, fallbacks, and server time

> On Jun 2, 2016, at 11:16 AM, David Benjamin wrote: > > I've mused on something like that (I was the main driver behind painstakingly > removing the existing version fallback in Chrome), but I don't think > non-determinism is a good idea. Site owners need to be able to reproduce the > failur

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

On Thursday 02 June 2016 15:07:53 David Benjamin wrote: > On Thu, Jun 2, 2016 at 6:43 AM Hubert Kario wrote: > > On Thursday 02 June 2016 11:39:20 Yoav Nir wrote: > > > > On 2 Jun 2016, at 10:31 AM, Nikos Mavrogiannopoulos > > > > wrote:> > > > > > > > > On Wed, 2016-06-01 at 15:43 -0700, Eric R

Re: [TLS] Downgrade protection, fallbacks, and server time

On Thu, Jun 2, 2016 at 11:20 AM Hubert Kario wrote: > > > Speaking of version number, does the text say that a server _MUST_ > > > accept any version higher than the one that is specified in the RFC, > > > but reply with 0x03,0x04 in case it doesn't support any future > > > version of the protoco

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

On Thu, Jun 2, 2016 at 11:07 AM David Benjamin wrote: > On Thu, Jun 2, 2016 at 6:43 AM Hubert Kario wrote: > >> On Thursday 02 June 2016 11:39:20 Yoav Nir wrote: >> > > On 2 Jun 2016, at 10:31 AM, Nikos Mavrogiannopoulos >> > > wrote:> >> > > On Wed, 2016-06-01 at 15:43 -0700, Eric Rescorla wro

Re: [TLS] Downgrade protection, fallbacks, and server time

On Thursday 02 June 2016 14:49:52 David Benjamin wrote: > On Thu, Jun 2, 2016 at 6:40 AM Hubert Kario wrote: > > On Wednesday 01 June 2016 22:29:06 David Benjamin wrote: > > > In case folks hoped we could bump the ClientHello version without > > > those dreaded browser fallbacks, I have bad news.

Re: [TLS] Downgrade protection, fallbacks, and server time

On Thu, Jun 2, 2016 at 10:59 AM Viktor Dukhovni wrote: > > > On Jun 2, 2016, at 10:49 AM, David Benjamin > wrote: > > > > I'm not sure I follow. The specification certainly spells out how > version negotiation is supposed to work. That hasn't stopped servers from > getting it wrong. Fundamentall

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

On Thu, Jun 2, 2016 at 6:43 AM Hubert Kario wrote: > On Thursday 02 June 2016 11:39:20 Yoav Nir wrote: > > > On 2 Jun 2016, at 10:31 AM, Nikos Mavrogiannopoulos > > > wrote:> > > > On Wed, 2016-06-01 at 15:43 -0700, Eric Rescorla wrote: > > >> 2% is actually pretty good, but I agree that we're g

Re: [TLS] Downgrade protection, fallbacks, and server time

> On Jun 2, 2016, at 10:49 AM, David Benjamin wrote: > > I'm not sure I follow. The specification certainly spells out how version > negotiation is supposed to work. That hasn't stopped servers from getting it > wrong. Fundamentally this is the sort of thing where bugs don't get noticed > unt

Re: [TLS] Downgrade protection, fallbacks, and server time

On Thu, Jun 2, 2016 at 6:40 AM Hubert Kario wrote: > On Wednesday 01 June 2016 22:29:06 David Benjamin wrote: > > In case folks hoped we could bump the ClientHello version without > > those dreaded browser fallbacks, I have bad news. :-( 1.3 intolerance > > very much exists. (Maybe we should just

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

On Thursday 02 June 2016 11:39:20 Yoav Nir wrote: > > On 2 Jun 2016, at 10:31 AM, Nikos Mavrogiannopoulos > > wrote:> > > On Wed, 2016-06-01 at 15:43 -0700, Eric Rescorla wrote: > >> 2% is actually pretty good, but I agree that we're going to need > >> fallback. > > > > Please not. Lets let thes

Re: [TLS] Downgrade protection, fallbacks, and server time

On Wednesday 01 June 2016 22:29:06 David Benjamin wrote: > In case folks hoped we could bump the ClientHello version without > those dreaded browser fallbacks, I have bad news. :-( 1.3 intolerance > very much exists. (Maybe we should just give up on > ClientHello.version and use an extension? Exten

Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

> On 2 Jun 2016, at 10:31 AM, Nikos Mavrogiannopoulos wrote: > > On Wed, 2016-06-01 at 15:43 -0700, Eric Rescorla wrote: >> 2% is actually pretty good, but I agree that we're going to need >> fallback. > > Please not. Lets let these fallbacks die. Not every client is a > browser. TLS 1.3 must b

[TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

On Wed, 2016-06-01 at 15:43 -0700, Eric Rescorla wrote: > 2% is actually pretty good, but I agree that we're going to need > fallback. Please not. Lets let these fallbacks die. Not every client is a browser. TLS 1.3 must be a protocol which doesn't require hacks to operate. CBC was removed, lets d