Comment by ekr____

Comment by ekr____ a day ago

55 replies

View on Hacker News

The situation is additionally confused by the fact that the version numbers do not give a good clue to how different the protocols were. Specifically:

SSLv2 was the first widely deployed version of SSL, but as this post indicates, had a number of issues.

SSLv3 is a more or less completely new protocol

TLS 1.0 is much like SSLv3 but with some small revisions made during the IETF standardization process.

TLS 1.1 is a really minor revision to TLS 1.0 to address some issues with the way block ciphers were used.

TLS 1.2 is a moderately sized revision to TLS 1.1 to adjust to advances in cryptography, specifically adding support for newer hashes in response to weaknesses in MD5 and SHA-1 and adding support for AEAD cipher suites such as AES-GCM.

TLS 1.3 is mostly a new protocol though it reuses some pieces of TLS 1.2 and before.

Each of these protocols has been designed so that you could automatically negotiate versions, thus allowing for clients and servers to independently upgrade without loss of connectivity.

nextgens 18 hours ago

TLS1.0 introduced modularity via the concept of "extensions". It's everything but a minor evolution of the protocol.

One of the many things it brought is session tickets, enabling server-side session resumption without requiring servers to keep synced-up state. Another is Server Name Indication, enabling servers to use more than one certificate.

Reply View 1 reply
cortesoft a day ago

> Each of these protocols has been designed so that you could automatically negotiate versions, thus allowing for clients and servers to independently upgrade without loss of connectivity.

And ensuring decades of various downgrade attacks

Reply View 48 replies
  • mcpherrinm a day ago

    The downgrade attacks on TLS are only really present in the case of client behaviour where, on failing to achieve one version, they retry a new connection without it.

    This was necessary to bypass various broken server side implementations, and broken middleboxes, but wasn’t necessarily a flaw in TLS itself.

    But from the learnings of this issue preventing 1.2 deployment, TLS 1.3 goes out of its way to look very similar on the wire to 1.2

    Reply View 46 replies
    • matthewdgreen 11 hours ago

      This isn't really accurate historically. TLS has both ciphersuite and version negotiation. Logjam (2015) [1] was a downgrade attack on the former that's now fixed, but is an extension of an attack that was first noticed way back in 1996 [2]. Similar problems occurred with the FREAK attack, though that was actually a client vulnerability. TLS 1.3 goes out of its way to fix all of this using a better negotiation mechanism, and by reducing agility.

      [1] https://en.wikipedia.org/wiki/Logjam_(computer_security) [2] https://www.usenix.org/legacy/publications/library/proceedin...

      Reply View 0 replies
    • ekr____ a day ago

      Moreover, there's not really much in the way of choices here. If you don't have this kind of automatic version negotiation then it's essentially impossible to deploy a new version.

      Reply View 25 replies
      • upofadown 14 hours ago

        Well you can, but that would require a higher level of political skill than normally exists for such things. What would have to happen is that almost everyone would have to agree on the new version and then implement it. Once implementation was sufficiently high enough then you have a switchover day.

        The big risk with such an approach is that you could implement something, then the politics could fail and you would end up with nothing.

        The big downside of negotiation is that no one ever has to commit to anything so everything is possible. In the case of TLS, that seems to have led to endless bikeshedding which has created a standard which has so many options is is hardly a standard anymore. The only part that has to be truly standard is the negotiation scheme.

        Reply View 9 replies
      • pcthrowaway 21 hours ago

        You could deploy a new version, you'd just have older clients unable to connect to servers implementing the newer versions.

        It wouldn't have been insane to rename https to httpt or something after TLS 1.2 and screw backwards compatibility (yes I realize the 's' stands for secure, not 'ssl', but httpt would have still worked as "HTTP with TLS")

        Reply View 13 replies
      • Dylan16807 a day ago

        Depends on what you mean by "this kind" because you want a way to detect attacker-forced downgrades and that used to be missing.

        Reply View 0 replies
    • frollogaston a day ago

      If a protocol is widely used wrongly, I consider it a flaw in the protocol. But overall, SSL standardization has gone decently well. I always bring it up as a good example to contrast with XMPP as a bad example.

      Reply View 10 replies
      • mcpherrinm a day ago

        Well, my only real point is that it’s not the version negotiation in TLS that’s broken. It’s the workaround for intolerance of newer versions that had downgrade attacks.

        Fortunately that’s all behind us now, and transitioning from 1.2 to 1.3 is going much smoother than 1.0 to 1.2 went.

        Reply View 6 replies
      • meepmorp 13 hours ago

        > I always bring it up as a good example to contrast with XMPP as a bad example.

        Could you expand a bit here? Do you just mean how extensions to the protocol are handled, etc., or the overall process and involved parties?

        Reply View 2 replies
    • sjducb 19 hours ago

      Man in the middle interfering with TLS handshakes?

      The handshake is unencrypted so you can modify the messages to make it look like the server only supports broken ciphers. Then the man in the middle can read all of the encrypted data because it was badly encrypted.

      A surprising number of servers still support broken ciphers due to legacy uses or incompetence.

      Reply View 7 replies
      • ekr____ 13 hours ago

        Yes, this is a seriously difficult problem with only partial solutions.

        The basic math of any kind of negotiation is that you need the minimum set of cryptographic parameters supported by both sides to be secure enough to resist downgrade. This is too small a space to support a complete accounting of the situation, but roughly:

        - In pre-TLS 1.3 versions of TLS, the Finished message was intended to provide secure negotiation as long as the weakest joint key exchange was secure, even if the weakest joint record protection algorithm was insecure, because the Finished provides integrity for the handshake outside of the record layer.

        - In TLS 1.3, the negotiation messages are also signed by the server, which is intended to protect negotiation as long as the weakest joint signature algorithm is secure. This is (I believe) the best you can do with a client and server which have never talked to each other, because if the signature algorithm is insecure, the attacker can just impersonate the server directly.

        - TLS 1.3 also includes a mechanism intended to prevent against TLS 1.3 -> TLS 1.2 downgrade as long as the TLS 1.2 cipher suite involves server signing (as a practical matter, this means ECDHE). Briefly, the idea is to use a sentinel value in the random nonces, which are signed even in TLS 1.2 (https://www.rfc-editor.org/rfc/rfc8446#section-4.1.3).

        Reply View 0 replies
      • mcpherrinm 13 hours ago

        No: while the handshake is unencrypted, it is authenticated. An attacker can’t modify it.

        What an attacker can do is block handshakes with parameters they don’t like. Some clients would retry a new handshake with an older TLS version, because they’d take the silence to mean that the server has broken negotiation.

        Reply View 1 reply
        • mcpherrinm 6 hours ago

          well, unless both client and server have sufficiently weak crypto enabled that an attacker can break it during the handshake.

          Then you can MITM, force both sides to use the weak crypto, which can be broken, and you're in the middle. Also not really so relevant today.

          Reply View 0 replies
      • kevincox 17 hours ago

        You could encrypt the handshake that you recieved with the server's certificate and send it back. Then if it doesn't match what the server thought it sent it aborts the handshake. As long as the server's cert isn't broken this would detect a munged handshake, and if the server's cert is broken you have no root of trust to start the connection in the first place.

        Reply View 3 replies
  • jackgavigan 19 hours ago

    It also enabled cipher strength "step up". Back during the '90s and early 2000s (I'm not sure when it stopped, tbh), the US government restricted the export of strong cryptography, with certain exceptions (e.g. for financial services).

    If you fell under one of those exceptions, you could get a special certificate for your website (from, e.g. Verisign) that allowed the webserver to "step up" the encryption negotiation with the browser to stronger algorithms and/or key lengths.

    Reply View 0 replies
da_chicken 12 hours ago

They still should have just called it TLS v4.0 instead of v1.0.

I'm halfway convinced that they have made subsequent versions v1.1, v1.2, and v1.3 in an outrageously stubborn refusal to admit that they were objectively incorrect to reset the version number.

Reply View 1 reply
  • ekr____ 12 hours ago

    As I noted below, there was real discussion around the version number for TLS 1.3. I don't recall any such discussion for 1.1 and 1.2.

    Reply View 0 replies
1over137 a day ago

Well, at least they were not just versioned by year number. ;)

Reply View 1 reply
  • marcosdumay 10 hours ago

    It would still be better than changing the name for no reason and resetting the version number.

    Reply View 0 replies