Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TLS Version Intolerance

TLS Version Intolerance

Slides from a short talk at the Berlin AppSec & Crypto Meetup, a continuation of Hanno Böck’s talk about TLS version intolerance from a month before. He explained how with TLS 1.3 just around the corner there again are growing compatibility concerns about legacy TLS stacks. I covered the latest TLS WG developments around version negotiation for TLS 1.3 and GREASE.

Tim Taubert

October 06, 2016
Tweet

More Decks by Tim Taubert

Other Decks in Programming

Transcript

  1. Tim Taubert
    @ttaubert
    Version negotiation and
    GREASE in TLS 1.3
    October 2016, Berlin

    View full-size slide

  2. Version Intolerance & Fallbacks
    Downgrade Protections
    TLS 1.3 Version Negotiation
    GREASE

    View full-size slide

  3. Negotiating a TLS connection
    Client: The highest TLS version I support is 1.2.
    Server: I only support TLS 1.1, let’s use that to
    communicate.

    View full-size slide

  4. Hitting a version intolerant server
    Client: The highest TLS version I support is 1.3.
    Server: *does stupid things* d

    View full-size slide

  5. 1st connection attempt:
    Client: The highest TLS version I support is 1.3.
    Server: *does not understand*
    2nd connection attempt:
    Client: The highest TLS version I support is 1.2.
    Server: Now we’re talking!

    View full-size slide

  6. Insecure Version Fallbacks
    Disabled since Firefox 37 and Chrome 50
    POODLE attacks CBC padding in SSL 3.0

    View full-size slide

  7. Version Intolerance & Fallbacks
    Downgrade Protections
    TLS 1.3 Version Negotiation
    GREASE

    View full-size slide

  8. Downgrade Protection Mechanisms
    TLS_FALLBACK_SCSV {0x56, 0x00}
    RFC 7507 by Adam Langley and Bodo Möller

    View full-size slide

  9. Downgrade Protection Mechanisms
    Downgrade sentinels in TLS 1.3
    Static values at the end of ServerHello.random
    TLS 1.2: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x01
    TLS 1.1: 0x44 0x4F 0x57 0x4E 0x47 0x52 0x44 0x00

    View full-size slide

  10. Version Intolerance & Fallbacks
    Downgrade Protections
    TLS 1.3 Version Negotiation
    GREASE

    View full-size slide

  11. TLS 1.3 Version Negotiation
    ClientHello.legacy_version = {3, 3} (static)
    Negotiate via supported_versions extension

    View full-size slide

  12. Version Intolerance & Fallbacks
    Downgrade Protections
    TLS 1.3 Version Negotiation
    GREASE

    View full-size slide

  13. Generate Random Extensions And
    Sustain Extensibility
    “have one joint and keep it well oiled” (AGL)
    Inject GREASE values pseudo-randomly

    View full-size slide

  14. Thanks! Questions?
    https://timtaubert.de/talks/tls-version-intolerance/

    View full-size slide