Hubert Kario <[email protected]> wrote: > > there are attacks, like BEAST, that TLS 1.0 is vulnerable to that > TLS 1.1 and TLS 1.2 are not - that's a fact there are ciphersuites > that are invulnerable to Lucky13 and similar style of attacks that > can not be used with TLS 1.0 or TLS 1.1 - that's a fact
BEAST is an attack against Web Browsers (and the abuse known as SSL-VPNs), it is *NO* attack against TLS -- whose design properties are described in appendix F of rfc5246, and there is a trivial workaround for those few apps that were affected. Continued mentioning of BEAST really only means one thing: severe crypto-cluelessness. http://www.educatedguesswork.org/2011/11/rizzoduong_beast_countermeasur.html There are two things that BEAST showed: Running arbitrary attacker-supplied active content is a bad idea! Performing protocol version downgrade dances is a bad idea. Lucky thirteen applies equally to all three: TLSv1.0, TLSv1.1 and TLSv1.2, but was a real-world issue only for borked implementations of DTLS (those implementations that were providing a no-limits guessing oracle. > > that doesn't sound to me like "ZERO security benefit", You seem to be confusing the difference between (1) ensuring that TLSv1.2 support is enabled with (2) disabling TLSv1.0 + TLSv1.1 support. If you do (1), then (2) does not add security benefits. > >> On digitally_signed, is proven that TLSv1.2 as defined by rfc5246 >> is the weakest of them all. > > yes, provided that: > - MD5 is actually in use > - or Joux does not hold and MD5+SHA1 is _meaningfully_ stronger[1] > than SHA-1 alone *and* SHA-1 is actually in use MD5 || SHA-1 is **ALWAYS** meaninfully stronger than SHA-1 alone, *NO* if! > >> The POODLE paper >> https://www.openssl.org/~bodo/ssl-poodle.pdf >> >> asserts that many clients doing downgrade dances exist, and at the >> time of publication, this includes Mozilla Firefox, Google Chrome and >> Microsoft Internet Explorer. > > either we consider clients that haven't been updated for half a decade now to > be of importance, then disabling support for old protocol versions has > meaningful security benefit, or we ignore them as they include insignificant > percentage of users and are vulnerable to much easier attacks anyway > > so, which way is it? MSIE seems to still be doing downgrade dances _today_, btw. -Martin _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
