Save 37% off PRO during our Black Friday Sale! »

TLS Version Intolerance

TLS Version Intolerance

Slides from a short talk at the Berlin AppSec & Crypto Meetup, a continuation of Hanno Böck’s talk about TLS version intolerance from a month before. He explained how with TLS 1.3 just around the corner there again are growing compatibility concerns about legacy TLS stacks. I covered the latest TLS WG developments around version negotiation for TLS 1.3 and GREASE.

6bab41d9b9453e984752a40a0dccbffc?s=128

Tim Taubert

October 06, 2016
Tweet

Transcript

  1. Tim Taubert @ttaubert Version negotiation and GREASE in TLS 1.3

    October 2016, Berlin
  2. Version Intolerance & Fallbacks Downgrade Protections TLS 1.3 Version Negotiation

    GREASE
  3. Negotiating a TLS connection Client: The highest TLS version I

    support is 1.2. Server: I only support TLS 1.1, let’s use that to communicate.
  4. Hitting a version intolerant server Client: The highest TLS version

    I support is 1.3. Server: *does stupid things* d
  5. 1st connection attempt: Client: The highest TLS version I support

    is 1.3. Server: *does not understand* 2nd connection attempt: Client: The highest TLS version I support is 1.2. Server: Now we’re talking!
  6. Insecure Version Fallbacks Disabled since Firefox 37 and Chrome 50

    POODLE attacks CBC padding in SSL 3.0
  7. Version Intolerance & Fallbacks Downgrade Protections TLS 1.3 Version Negotiation

    GREASE
  8. Downgrade Protection Mechanisms TLS_FALLBACK_SCSV {0x56, 0x00} RFC 7507 by Adam

    Langley and Bodo Möller
  9. Downgrade Protection Mechanisms Downgrade sentinels in TLS 1.3 Static values

    at the end of ServerHello.random TLS 1.2: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x01 TLS 1.1: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x00
  10. Version Intolerance & Fallbacks Downgrade Protections TLS 1.3 Version Negotiation

    GREASE
  11. TLS 1.3 Version Negotiation ClientHello.legacy_version = {3, 3} (static) Negotiate

    via supported_versions extension
  12. Version Intolerance & Fallbacks Downgrade Protections TLS 1.3 Version Negotiation

    GREASE
  13. Generate Random Extensions And Sustain Extensibility “have one joint and

    keep it well oiled” (AGL) Inject GREASE values pseudo-randomly
  14. Thanks! Questions? https://timtaubert.de/talks/tls-version-intolerance/