Re: #612: 9.2.2 and ALPN from Greg Wilkins on 2014-11-12 (ietf-http-wg@w3.org from October to December 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Thu, 13 Nov 2014 08:50:02 +1100
To: Ryan Hamilton <rch@google.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NFQbhVm8ZZ9FiKzLZ2FAT2fvrBf10U3X0S42MrEW__U-A@mail.gmail.com>

On 13 November 2014 03:27, Ryan Hamilton <rch@google.com> wrote:

> On Tue, Nov 11, 2014 at 8:58 PM, Greg Wilkins <gregw@intalio.com> wrote:
>
>> I assume that there is an implied:
>>   BAD = peer MAY fallback to h1 (if able to influence ALPN protocol
>> selection)
>> and that will not be seen as a downgrade attack (or at least and
>> acceptable one).
>>
>
> Can you explain why this would be desirable? It sure sounds like a
> downgrade attack path to me.
>

Well I'm not the advocate for this "feature", just trying to better define
it.     In the h2-14 draft, the final paragraph of
9.2.2 allows for weak ciphers that are unacceptable to h2 to be included in
the handshake so that h1 servers that do not use h2 or strong ciphers can
be connected to without additional round trips.        This has been the
basis of the fragile handshake problem that I have raised as a server could
never really tell if a cipher was being offered for h2 or not and thus was
faced with the prospect of INADEQUATE_SECURITY if it tried h2 on an unknown
cipher.

My understanding of the current proposal is to remove the doubt associated
with the handshake by providing an in spec black list of ciphers.   So my
message was to clarify if those black listed ciphers are there so that they
may be offered in the initial handshake, but only for the purposes of h1
fallback.

So I'm trying to clarify what I server should do if it's TLS layer
negotiates a cipher on the BAD list.   The text that Mark proposes says
that it MAY send INADEQUATE_SECURITY, which means that it may not.   In the
case that it does not send it, I'm assuming that is for the h1 fallback
case and think that needs to be called out in the text.

I think it is a downgrade attack vector, but what I think this WG is trying
to say is that it is an acceptable one.  If either peer wants to avoid it,
they simple need to not offer the bad ciphers.

cheers

-- 
Greg Wilkins <gregw@intalio.com>  @  Webtide - *an Intalio subsidiary*
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Wednesday, 12 November 2014 21:50:31 UTC