Re: #612: 9.2.2 and ALPN from Yoav Nir on 2014-11-13 (ietf-http-wg@w3.org from October to December 2014)

From: Yoav Nir <ynir.ietf@gmail.com>
Date: Wed, 12 Nov 2014 19:58:45 -1000
To: Jason Greene <jason.greene@redhat.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Greg Wilkins <gregw@intalio.com>, Ryan Hamilton <rch@google.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <3A11820D-1ABA-4E93-B830-58DA87C22F77@gmail.com>

> On Nov 12, 2014, at 7:27 PM, Jason Greene <jason.greene@redhat.com> wrote:
> 
> 
>> On Nov 12, 2014, at 4:40 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>> 
>>> On Tue, Nov 11, 2014 at 8:58 PM, Greg Wilkins <gregw@intalio.com> wrote:
>>> 
>>> I think it is a downgrade attack vector, but what I think this WG is trying to say is that it is an acceptable one.  If either peer wants to avoid it, they simple need to not offer the bad ciphers.
>>> 
>> Can you please explain how this downgrade attack works?
> 
> In order to deal with servers which, perhaps mistakenly, accept non-h2 compliant ciphers, a client has to choose between failing the connection entirely (when H1 would have worked fine), or opening a new connection. If that new connection offers a weaker selection of ciphers (perhaps some kind of fallback to an old code path) it becomes a potential target. 

Even if you fall back to HTTP/1, there is no reason to avoid offering the strongest ciphers you can. Browsers have been offering weird ciphersuites for years: Firefox has camelia, there are two kinds of SCSV, GOST plug-ins in Russia. The web is mostly tolerant of unknown ciphersuites. So falling back to ALPN with only h1 or no ALPN at all with both preferred and not-so-preferred ciphersuites should work.

Besides, IMO the fallback should be different. If the client offers h1 or h2, and both AES-GCM and 3DES-CBC, and the server comes back with h2 + 3DES-CBC, then a browser that wishes to follow 9.2.2 MAY send an INADEQUATE_SECURITY, and follow that with another attempt, offering only h2 and only AES-GCM (or any other “while-list” ciphersuite). We already know that the server supports h2, so supposedly it does support the mandatory to implement  ciphersuite, but it has trouble selecting the right one when given too much choice (call it the embarras du choix bug), so proposing only h2 with acceptable ciphersuites might work. 

If it doesn’t than the client has a choice of h2 with a not-so-preferred ciphersuite (which is not allowed by the spec) or h1 with the same not-so-preferred ciphersuite (which the spec is silent about, because this is a spec for h2, not h1).

Yoav

Received on Thursday, 13 November 2014 05:59:17 UTC