TLS 1.2 - Look before you Leap !

Published: 2011-09-22
Last Updated: 2011-09-22 14:53:50 UTC
by Rob VandenBrink (Version: 1)
9 comment(s)

There's been a lively discussion on vulnerabilities in TLS v1.0 this week, based on an article posted earlier in the week ( http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/, http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/, http://isc.sans.edu/diary.html?storyid=11611  ), which may (or may not, stay tuned) be based on a paper written back in 2006 ( http://eprint.iacr.org/2006/136.pdf ). Both the paper and the article outline an attack that can decrypt some part of a TLS 1.0 datastream (the article on the attack discusses cookies, we'll need to wait to see what it actually does). In any case, we've been seeing a fair amount of advice in the press recommending upgrading servers to TLS 1.2. I happened to make such a recommendation, with the caveat "if it makes sense in your infrastructure" on a mailing list, and was quickly corrected by Terry, an ISC reader. Terry correctly pointed out that upgrading your server is all well and good, but that's only half of the equation ...

yes, many (most?) browsers are not yet TLS 1.2 capable. I did a quick check, and while TLS 1.2 has been around for 3 years ( http://www.ietf.org/rfc/rfc5246.txt ), he was absolutely right.

The TLS support for browsers right now is:
IE9 TLS 1.0, 1.1, 1.2 all supported via Schannel
IE8 TLS 1.0 supported by default, 1.1 and 1.2 can be configured
Opera - 10.x supports TLS 1.0, 1.1, 1.2
I don't count older versions of any of these browsers, since people really should have auto-update on. if they don't they've probably got bigger problems ( http://isc.sans.edu/diary.html?storyid=11527 )
Mozilla/ Firefox - TLS 1.0 only (vote here to get this fixed ==> https://bugzilla.mozilla.org/show_bug.cgi?id=480514 )
Chrome - TLS 1.0 only (though an update is rumoured)
Safari - TLS 1.0
Cell phones - various support levels (webkit has tls 1.2 since Nov 2010, but for individual phone browser implementations your mileage may vary)

TLS Support for Servers is similarly spotty (thanks Swa for this list)
IIS (recent versions) again, all TLS versions supported
Apache with OpenSSL - 1.0 only
Apache with GNUTLS - 1.2 is supported.  (note however that GNUTLS does not have the full feature set that OpenSSL does, nor does it have the body of testing, peer review and overall acceptance that OpenSSL has behind it.)

So, if you plan to upgrade to 1.2 and force clients to 1.2, your clients better be running Opera and IE9 ONLY. The game plan most folks will follow is to plan for an upgrade if their server supports 1.2 (which means IIS right now) and run both 1.0 and 1.2 in parallel. What this means for us as a community is that if there is in fact a TLS 1.0 exploit, we'll likely start seeing it in conjunction with TLS downgrade attacks - sounds familiar eh?

The other thing that leaps out at me in this mess is cellphones. Any "how popular is my browser" site out there will show the jockeying for market share between the various browsers over the years, and will also show the exponential growth of cellphone browser traffic on the web. Not only are they becoming the most popular browsers out there, they will likely become the majority of browser traffic as well. Updates for cellphone browsers do not come from the browser author, they come from the phone manufacturer, and are generally distributed to end-users of the device by the carrier. So the update of any given component (like the browser) can see significant delay (like months, or never) before real people see it on their device. This update logjam has been an ongoing issue, maybe a "crisis in crypto" will force some improvements in this area!

===============
Rob VandenBrink
Metafore

Keywords: BEAST TLS
9 comment(s)

Comments

Rob... It's all fine and well to say they should have auto-update on, but a lot of very large organizations use standardized builds and therefore are still running XP and IE6/7. So for a change I'm saying... Have a heart for the Big guys! :-)
We actually posted a diary on legacy browsers way back when ==> http://isc.sans.edu/diary.html?storyid=8149

But now-a-days, with the browser being such a target, it's generally not advised to surf the public internet with IE6 or even 7. I've got clients in this situation, we tend to provide the legacy browser via Citrix or VDI type services, so that the IE9 on the workstation has internet access, but the IE6 browser is a captive session to the ERP system (or whatever the app is)
IE9 does support TLS 1.1 and TLS 1.2, but it is *not* on by default. See the first two sentences of http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx for details.

I wonder if IE10 beta has this on by default or if it will when it's released.
FYI, it turns out BEAST was *not* based on that paper, as mentioned in this article http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/ and a tweet from the BEAST authors (https://twitter.com/thaidn/statuses/116348637549826049?_escaped_fragment_=/thaidn/status/116348637549826049#!/thaidn/status/116348637549826049).

Thank you for the content of the post, nice to know where we stand. Bad Openssl, bad!
@techvet - I'm running the developer preview of Windows 8 (with IE10). I checked the options and, at least for right now, TLS 1.2 is NOT enabled by default but is a checkbox option in Internet Options.

Cheers.
Cellphones... I guess it depends on your cellphone and your browser. Third-party Dolphin browser for Android is regularly updated independently of the phone manufacturer or the carrier. I don't know if there are other like that, too.

However, I've no idea of their market penetration -- 80%-99% of users may depend on carrier updates as you describe. I've also no idea, of course, when or if Dolphin will address this. It could also be the case that they're all about user interface and dependent on the Webkit implementation on the phone from the manufacturer/carrier. Would be interesting to know.

Openssl is claiming they put "countermeasures" in place in .9.6.d 7 years ago. http://marc.info/?l=openssl-users&m=131662297304023&w=2

Followup post claims the problem is with apache for not using it. http://marc.info/?l=openssl-users&m=131670045413717&w=2

Active discussion still so we will have to see where it goes.
Chrome's details are at http://code.google.com/p/chromium/issues/detail?id=90392

Basically Google can't do it till Mozilla does it as they use Mozilla's encryption library. But they are having some argument about some PKCS stuff and which implementation to use. That discussion simply petered out a year ago. Mozilla also look like they're going to concentrate on 1.1 before they look at 1.2 anyway.
The F5 loadbalancer does support TLS1.1, while the CIsco ACE and CSS loadbalancers don't.

Diary Archives