New issue
Advanced search Search tips

Issue 850800 link

Starred by 2 users
Status: Assigned
Owner:
davidben@chromium.org
Components:
EstimatedDays: ----
NextAction: 2018-10-01
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Forbid renegotiations without the renegotiation_info extension

Project Member Reported by davidben@chromium.org, Jun 8 2018 
It's been 8 years. Surely that's long enough...

I think there are enough stacks that don't bother implemention either renego or renegotiation_info that we probably can't straight-up mandate it, but blocking renegos if you don't have the extension seems plausible. I'm going to get some metrics.

(Since renego is largely an enterprise thing, it's possible this will come up inconclusive, but we can see.)
Project Member

Comment 1 by bugdroid1@chromium.org, Jun 12 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7a8e4dfa00eaeb6a7e41381f29060c6c1f38ac19

commit 7a8e4dfa00eaeb6a7e41381f29060c6c1f38ac19
Author: David Benjamin <davidben@chromium.org>
Date: Tue Jun 12 23:07:21 2018

Add histograms for secure and insecure renegotations.

RFC 5746 has been published for 8 years now. No doubt this means
everyone doing renegotiations has supported this by now!

Bug: 850800
Change-Id: Ic5c9eaee55e60c9315bc9126be5e64ce0f9828da
Reviewed-on: https://chromium-review.googlesource.com/1091957
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: Alexei Svitkine <asvitkine@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#566621}
[modify] https://crrev.com/7a8e4dfa00eaeb6a7e41381f29060c6c1f38ac19/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/7a8e4dfa00eaeb6a7e41381f29060c6c1f38ac19/net/socket/ssl_client_socket_impl.h
[modify] https://crrev.com/7a8e4dfa00eaeb6a7e41381f29060c6c1f38ac19/tools/metrics/histograms/histograms.xml

Comment 2 by davidben@chromium.org, Jun 13 2018

NextAction: 2018-10-01

Comment 3 by davidben@chromium.org, Aug 20 

AGL points out that I'm misunderstanding the renegotiation attack. The more interesting attack is:

Attacker -> Server: handshake
Attacker -> Server: app data
Client -> Server: handshake, but attacker intercepts
Attacker -> Server: proxy the above handshake

Client thinks it's doing an initial handshake. Server thinks it's a renegotiation and that, in particular, the attacker-supplied prefix is part of the stream.

To avoid this you either need the server to reject RI-less renegotiations or for the client to reject *all* RI-less connections.

Thus there's not much the client can do short of full enforcement. If full enforcement is impractical, having the client reject RI-less renegotiations doesn't actually stop the attack. It merely nudges RI-less renegotiating servers to implement RI, which is valuable, but opportunistic RI is insufficient. The server must reject RI-less renegotiation altogether, and that one we can't as easily induce on the client.

It may be worth getting some data again on whether full enforcement is plausible. I recall it wasn't a while ago.

Comment 4 by monor...@bugs.chromium.org, Oct 1 

The NextAction date has arrived: 2018-10-01

Sign in to add a comment