On Tue, Jul 10, 2018 at 03:38:42PM +0200, Hubert Kario wrote: > The github version of the document points out that the security of TLS 1.2 > downgrade protection to TLS 1.1 or TLS 1.0 depends on SHA-1.
Is this accurate? TLS 1.0 uses a combined SHA-1 + MD5 PRF. Are there known attacks that compromise TLS 1.0 via collisions in its PRF? [ IIRC, one embarrassing feature of TLS 1.2 vs. TLS 1.0 is that in making the signature algorithms negotiable, it became possible to offer and use MD5 where previously TLS 1.0 used SHA-1. ] > that is the downgrade issue in the protocol Keep in mind that my example, illustrating potentially counter-productive raising of the floor, was about SHA-1 signatures in certificates. Does accepting SHA-1 signatures in *certificate chains* create opportunities to downgrade TLS 1.2 to TLS 1.0? For the record, I am not saying that users should not be moving to TLS 1.2 (if they haven't already). Rather, I'm not aware of practical cryptographic downgrade attacks to TLS 1.0 (other than software that might still pessimistically fall back to TLS 1.0 on TLS 1.2 handshake failure). Absent, such downgrade attacks, what's really needed is broader support for TLS 1.2 (raising the ceiling), which does not require removal of support for TLS 1.0 (raising the floor). As a community we're still prone to pursue improved security primarily through removal of weak algorithms, and under-appreciate security improvement via the introduction of stronger algorithms. Of course removal of weak algorithms has its place, if these facilitate downgrade attacks, or present unnecessary attack-surface once no longer used. But we should be careful to not rush into overzealous deprecation that can sometimes do more harm than good. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls