
False Start's sad demise: Google abandons noble attempt to make SSL less painful - 3lit3H4ck3r
http://arstechnica.com/business/news/2012/04/google-abandons-noble-experiment-to-make-ssl-less-painful.ars?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+Featured+Content%29
======
tptacek
False Start is conceptually somewhat similar to T/TCP, in that it allows data
to be pipelined with control traffic.

Specifically: False Start instructs clients to release data to the server
before both sides of a TLS connection exchange FINISHED messages. Those
FINISHED messages authenticate the control messages in the handshake, so the
client is giving up some data without being sure that all the handshake
messages were authentic.

A MITM attacker can in theory exploit this to get a client to cough up data
under the rules & assumptions of earlier versions of the protocol or less
secure / different ciphersuites. For instance, there was some question as to
whether False Start would enable an attacker to knock a TLS session down to
TLS 1.0 long enough for an attacker to get cookies with the BEAST CBC IV reuse
problem.

As I understand it, there's no smoking-gun problem with False Start. I also
don't think the security tradeoffs have anything to do with its market
failure! But the performance win also might not have been worth the
disruption. False Start gets TLS down to 1 RTT before data, but TLS resumed
sessions are already 1 RTT before data.

~~~
NateLawson
I explained some of these security issues in a recent talk on False Start and
Snap Start (which was withdrawn from IETF for other reasons).

[http://rdist.root.org/2012/02/27/ssl-optimization-and-
securi...](http://rdist.root.org/2012/02/27/ssl-optimization-and-security-
talk/)

What's interesting to me about Adam's post is how fragile protocol
implementations are in appliance-type devices. Of course, having seen the
internals of other similar devices, I'm not surprised, but the parallels to
consumer electronics are surprising, given the critical nature of these
network appliances.

------
brownbat
"Langley went on to say he has experienced similar problems getting
manufacturers of SSL products to make changes that protect against an exploit
demonstrated in September known as BEAST..."

Not sure who he is referring to when he says "manufacturers of SSL products,"
but it seems damn near impossible to get everyone deploying SSL to fix mixed
content vulnerabilities.

Maybe diverse markets with lots of players just can't do security.

------
vilda
Why not accept a special header similar to "Strict-Transport-Security"? Let it
be X-False-Start and for following requests False Start would be enabled for
that site.

~~~
obtu
As far as opt-in solutions go, the NPN TLS option is simpler. Though large
sites might prefer to go all the way and deploy SPDY.

------
killnine
compatible "with well over 99 percent" and Google is bailing because of the
remaining incompatible sites????

~~~
tptacek
A10 Networks, Brocade, and F5 (in some configurations) all had problems with
False Start.

On the other hand, these terminators also have problems with the split-first-
record fix to the TLS 1.0 BEAST vulnerability, and that problem has to get
fixed.

~~~
gcp
_On the other hand, these terminators also have problems with the split-first-
record fix to the TLS 1.0 BEAST vulnerability, and that problem has to get
fixed._

Do you know if Google is going back on that as well? Can't tell from the
article.

~~~
tptacek
Not sure how you'd "go back on that". It's a vulnerability; it needs to be
addressed.

~~~
gcp
If it breaks websites that your users _require_ to work, like their bank, of
course you can and must go back, security issues be damned.

Google postponed BEAST mitigation several times because of this issue. I'm
asking if they're reigning back on that or only on false start.

------
herf
Why not a DNS TXT record to enable? The TLS method seems so much more
complicated.

~~~
tptacek
If your goal is to cut RTTs out of a transaction, does moving an RTT from TLS
to DNS help?

~~~
JoachimSchipper
To be fair to herf, ANY queries might produce this information in one query.
(Then again, they might silently omit all or part of the answer. Also,
querying "bare" domains like example.org will produce unneeded records like
SOA/NS/MX.)

------
mjwalshe
oh they found it hard so gave up - as some one who used to work with OSI
protocols ad having looked at some the google proposed standards it doesn't
surprise me.

