TLS 1.2 - Look before you Leap !
There's been a lively discussion on vulnerabilities in TLS v1.0 this week, based on an article posted earlier in the week ( http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/, http://www.theregister.co.uk/2011/09/21/google_chrome_patch_for_beast/, http://isc.sans.edu/diary.html?storyid=11611 ), which may (or may not, stay tuned) be based on a paper written back in 2006 ( http://eprint.iacr.org/2006/136.pdf ). Both the paper and the article outline an attack that can decrypt some part of a TLS 1.0 datastream (the article on the attack discusses cookies, we'll need to wait to see what it actually does). In any case, we've been seeing a fair amount of advice in the press recommending upgrading servers to TLS 1.2. I happened to make such a recommendation, with the caveat "if it makes sense in your infrastructure" on a mailing list, and was quickly corrected by Terry, an ISC reader. Terry correctly pointed out that upgrading your server is all well and good, but that's only half of the equation ...
yes, many (most?) browsers are not yet TLS 1.2 capable. I did a quick check, and while TLS 1.2 has been around for 3 years ( http://www.ietf.org/rfc/rfc5246.txt ), he was absolutely right.
The TLS support for browsers right now is:
IE9 TLS 1.0, 1.1, 1.2 all supported via Schannel
IE8 TLS 1.0 supported by default, 1.1 and 1.2 can be configured
Opera - 10.x supports TLS 1.0, 1.1, 1.2
I don't count older versions of any of these browsers, since people really should have auto-update on. if they don't they've probably got bigger problems ( http://isc.sans.edu/diary.html?storyid=11527 )
Mozilla/ Firefox - TLS 1.0 only (vote here to get this fixed ==> https://bugzilla.mozilla.org/show_bug.cgi?id=480514 )
Chrome - TLS 1.0 only (though an update is rumoured)
Safari - TLS 1.0
Cell phones - various support levels (webkit has tls 1.2 since Nov 2010, but for individual phone browser implementations your mileage may vary)
TLS Support for Servers is similarly spotty (thanks Swa for this list)
IIS (recent versions) again, all TLS versions supported
Apache with OpenSSL - 1.0 only
Apache with GNUTLS - 1.2 is supported. (note however that GNUTLS does not have the full feature set that OpenSSL does, nor does it have the body of testing, peer review and overall acceptance that OpenSSL has behind it.)
So, if you plan to upgrade to 1.2 and force clients to 1.2, your clients better be running Opera and IE9 ONLY. The game plan most folks will follow is to plan for an upgrade if their server supports 1.2 (which means IIS right now) and run both 1.0 and 1.2 in parallel. What this means for us as a community is that if there is in fact a TLS 1.0 exploit, we'll likely start seeing it in conjunction with TLS downgrade attacks - sounds familiar eh?
The other thing that leaps out at me in this mess is cellphones. Any "how popular is my browser" site out there will show the jockeying for market share between the various browsers over the years, and will also show the exponential growth of cellphone browser traffic on the web. Not only are they becoming the most popular browsers out there, they will likely become the majority of browser traffic as well. Updates for cellphone browsers do not come from the browser author, they come from the phone manufacturer, and are generally distributed to end-users of the device by the carrier. So the update of any given component (like the browser) can see significant delay (like months, or never) before real people see it on their device. This update logjam has been an ongoing issue, maybe a "crisis in crypto" will force some improvements in this area!
===============
Rob VandenBrink
Metafore
Comments
OJC
Sep 22nd 2011
1 decade ago
But now-a-days, with the browser being such a target, it's generally not advised to surf the public internet with IE6 or even 7. I've got clients in this situation, we tend to provide the legacy browser via Citrix or VDI type services, so that the IE9 on the workstation has internet access, but the IE6 browser is a captive session to the ERP system (or whatever the app is)
Rob VandenBrink
Sep 22nd 2011
1 decade ago
I wonder if IE10 beta has this on by default or if it will when it's released.
techvet
Sep 22nd 2011
1 decade ago
Thank you for the content of the post, nice to know where we stand. Bad Openssl, bad!
gaten
Sep 22nd 2011
1 decade ago
Cheers.
davidholiman
Sep 22nd 2011
1 decade ago
However, I've no idea of their market penetration -- 80%-99% of users may depend on carrier updates as you describe. I've also no idea, of course, when or if Dolphin will address this. It could also be the case that they're all about user interface and dependent on the Webkit implementation on the phone from the manufacturer/carrier. Would be interesting to know.
Hal
Sep 23rd 2011
1 decade ago
Followup post claims the problem is with apache for not using it. http://marc.info/?l=openssl-users&m=131670045413717&w=2
Active discussion still so we will have to see where it goes.
baldgeek
Sep 23rd 2011
1 decade ago
Basically Google can't do it till Mozilla does it as they use Mozilla's encryption library. But they are having some argument about some PKCS stuff and which implementation to use. That discussion simply petered out a year ago. Mozilla also look like they're going to concentrate on 1.1 before they look at 1.2 anyway.
Alex
Sep 23rd 2011
1 decade ago
Seccubus
Sep 28th 2011
1 decade ago