Summary
TLS has a version negotiation mechanism to securely introduce new versions without breaking compatibility. Yet each time a new one has been deployed, we have found servers that do not behave correctly and browsers have had to add insecure fallbacks to mitigate these broken servers. On every failed connection, we progressively retry, advertising lower and lower versions.
The SSL 3.0 fallback was removed last year due to POODLE. Guided by data from new fallback metrics, we will now be removing the TLS 1.0 fallback as well, raising the minimum fallback version to TLS 1.1.
This will not break TLS 1.0 servers, only those which implement version negotiation incorrectly. This Intent does not propose removing the TLS 1.1 fallback, but we hope to remove that too in the near future.
Motivation
With the fallback enabled, attackers can force version downgrades. FALLBACK_SCSV (RFC 7507) fixes this, but it requires server support. TLS fallbacks also mask implementation bugs and complicate error-handling and diagnosing failures.
Usage information
Over the past 14 days, the TLS 1.0 fallback was needed on 0.00% of HTTPS requests on the beta channel, after rounding.
Compatibility risk
Though the metrics are not on stable, rounding to 0.00% is pretty good. As 45 hits beta and 44 stable, we will monitor metrics and bug reports. If anything unexpected happens, we can revert. Firefox has also successfully removed the fallback (apart from a whitelist I believe).I'm all for it, because essentially these downgrades are a security
risk.
Just asking: Why not remove the TLS 1.1 downgrade? What are the numbers
there?
I would be very surprised if that downgrade mattered at all. From what
I'm aware the vast majority of TLS implementations implemented TLS 1.1
and 1.2 at the same time. Is there anything out there that needs
insecure fallbacks when connecting with TLS 1.2 that will allow a
connection with TLS 1.1? I'd be very surprised (and would like to hear
what kind of product that is).
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/531514bd-c920-4d43-839e-42bc4f3461a1%40chromium.org.
A10 Loadbalancers seem to have the same problem on the management interface...
I had run into the problem with TLS version intolerance when using Weblogic 10.3.5. After switching to JSSE SSL through Weblogic console, AND upgrading the JDK to 1.6 update 101 (non-public update through paid support contract), the problem appears to be resolved.
Without latest Java 1.6 update, the switch to JSSE surfaced a different error instead: ssl_error_weak_server_ephemeral_dh_key
For those with the option to go with a newer release of Weblogic that works with Java 8, that's probably the better option. But if you're stuck with Weblogic 10.3.5 and Java 6, this may work for you as well.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/a30a4b33-7d74-4bc1-93e6-fcf6c71c6c0c%40chromium.org.