Alerts on TLS Renegotiation

Wed, 31 Mar 2010 05:31:45 -0700 

[ Please follow up to mozilla.dev.tech.crypto ]
After some discussion at bug 554594 I'm following up here - the bug was unfortunately misused by me a little for the initial discussion. 


At https://wiki.mozilla.org/Security:Renegotiation under item 4.4 the 
following is proposed:



         security.ssl.require_safe_negotiation

   If set to true, a Mozilla client will reject *all* connection
   attempts to servers that are still using the old SSL/TLS protocol
   and which might be vulnerable to the attack.



I believe this to be a mistake for various reasons, but first and 
foremost because an attack on a server without compromise of the client 
data as well, is basically useless. When a attacker induces 
renegotiation at the server, the attacker must have client credentials 
in order to act as if he were the original client. Without those 
credentials, the attacker would be treated as any other unauthenticated 
source.



When a client (as in our case Firefox) implements RFC 5746, the client 
can't be compromised and no data is leaked from the client. I propose 
that Firefox should support the RFC 5746 extension exclusively, but NOT 
block or warn on accessing servers which don't support the extension. 
Any renegotiation attempt to the client will be ignored and no data is 
leaked.



The advantage for this approach would be earlier support of RFC 5746 
which would facilitate safe renegotiation with servers that support it, 
but still allows to support servers which don't support it.



SSLv2 was disabled in Firefox only a short while ago, despite the fact 
that newer protocols were available for most of the last 14 years. I 
expect that it will take years upon years until 90% of all SSL enabled 
servers will support RFC 5746, not speaking about 99% or higher. 
Refusing to speak to servers that don't support RFC 5746 - even if the 
sites probably never need renegotiation - will have an undesired effect, 
either by breaking SSL entirely or forcing the user to accept unsafe 
renegotiation, which will leave the user vulnerable once again.



It also must be noted that 99% or more of all SSL enabled web sites will 
never need renegotiation to work. A server which disabled renegotiation 
is at least as secure as a server supporting the new extension. Those 
that need it will probably patch their servers sooner or later and are 
not a concern IMO.


--
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    start...@startcom.org
Blog:    http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg


-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





















					Reply via email to