On Tuesday, 14 May 2019 16:52:49 CEST Martin Rex wrote: > Hubert Kario <hka...@redhat.com> wrote: > > Martin Rex wrote: > >> Hubert Kario <hka...@redhat.com> wrote: > >>> MD5 was deprecated and removed by basically every library > >>> and can't be used in TLS 1.2, I specifically meant SHA1 > >> > >> MD5 deprecated ? Nope, glaring emtpy: > >> https://www.rfc-editor.org/errata_search.php?rfc=5246 > >> > >> MD5 removed ? Mostly, but several implementors had to be prodded with > >> > >> with CVE-2015-7575 (SLOTH) to remove it. > > > > I meant in practice > > > >> The real issue at hand is: > >> Prohibiting TLSv1.0 and TLSv1.1 is going to result in lots of > >> interop problems, while at the same time providing *ZERO* > >> security benefit. > > > > that's your opinion, not an established fact > > You got this backwards. > > There is a bold assertion that disabling TLSv1.0 and TLSv1.1 (alone) > would provide security benefits, but a complete lack of proof.
there are attacks, like BEAST, that TLS 1.0 is vulnerable to that TLS 1.1 and TLS 1.2 are not - that's a fact there are ciphersuites that are invulnerable to Lucky13 and similar style of attacks that can not be used with TLS 1.0 or TLS 1.1 - that's a fact that doesn't sound to me like "ZERO security benefit", and similar issues were the reason why we generally don't use SSL2 and SSL3 any more and why RFC 7568 was published > On digitally_signed, is proven that TLSv1.2 as defined by rfc5246 > is the weakest of them all. yes, provided that: - MD5 is actually in use - or Joux does not hold and MD5+SHA1 is _meaningfully_ stronger[1] than SHA-1 alone *and* SHA-1 is actually in use those are big if's 1 - where meaningfully = at least by a work factor of 2^10 > >> What *WOULD* provide *HUGE* benefit, would be to remove the > >> dangerous "protocol version downgrade dance" from careless > >> applications, > >> that is the actual problem known as POODLE, because this subverts the > >> cryptographic procection of the TLS handshake protocol. > >> > >> We've known this downgrade dance to be a problem since the discussion > >> of what became rfc5746. Prohibiting automatic protoocol version > >> downgrade dances is going to ensure that two communication peers > >> that support TLSv1.2 will not negotiate a lower TLS protocol version. > > > > which exact piece of popular software actually still does that? > > It ain't curl, it ain't Chrome, it ain't Firefox. > > It definitely was implemented in Chrome and Firefox, which is how this > poor document got onto standards track: key words: "still" and "was" > The POODLE paper > https://www.openssl.org/~bodo/ssl-poodle.pdf > > asserts that many clients doing downgrade dances exist, and at the > time of publication, this includes Mozilla Firefox, Google Chrome and > Microsoft Internet Explorer. either we consider clients that haven't been updated for half a decade now to be of importance, then disabling support for old protocol versions has meaningful security benefit, or we ignore them as they include insignificant percentage of users and are vulnerable to much easier attacks anyway so, which way is it? -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
