On 5 November 2014 08:35, Daniel Kahn Gillmor <[email protected]> wrote: > * should fallback address only choice of TLS versions (min and max), or > should it address other features like extensions and ciphersuites? some > ciphersuites are not available in some versions, and very old versions > are extension intolerant > > * should fallback happen one level at a time, or are there arguments > for falling back all the way to weakest/most-compatible handshakes? > > * how should stateful TLS clients store state about what versions of > fallback were required to reach any given TLS server?
I think that this would be a valuable discussion, and I'd help contribute to a draft documenting the practice. I can give details on what Firefox is currently doing and planning to do. In release versions, we walk back based on a range of reasons. This includes TCP RST, which makes us trivially vulnerable to downgrade attack. So there you go, have it it folks. The ratio of fallbacks for spurious reasons to fallbacks for genuine reasons is huge, but we have not been prepared to make those version intolerant sites inaccessible just yet. In upcoming versions, we are being a lot less lenient in this regard. In addition to lifting the floor by disabling SSL 3.0, we have the downgrade SCSV. We are also currently experimenting with lifting the fallback floor to TLS 1.2, which is showing positive signs in pre-release channels (though we may hold that experiment back for a few cycles, we'll see). The other thing we have is an initial handshake with RC4 suites (i.e., our weakest cipher suites) disabled. If that fails for a narrower set of reasons, we re-enable those suites, though we keep the version the same. This reduces the likelihood that we'll negotiate RC4 and punishes sites for insisting on using it by adding latency. I believe that this is similar to how Internet Explorer has been operating since version 10. We don't fallback if we have previously been able to connect successfully at a given version. And we don't offer weak suites if we have used the stronger ones. We don't persist this state over browser restarts though. I don't recall if we offer GCM in TLS 1.0 or 1.1, but that's the only version-suite interaction I'm aware of that is currently relevant. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
