Re: [Qemu-devel] [PATCH] Improve documentation for TLS

[Alex Bligh]

On 7 Apr 2016, at 13:13, Alex Bligh <address@hidden> wrote:

> I guess it's worth documenting
> this, though I thought it was obvious.

The next version will have this section:

### Downgrade attacks

A danger inherent in any scheme relying on the negotiation
of whether TLS should be employed is downgrade attacks.

There are two main dangers:

* A Man-in-the-Middle (MitM) hijacks a session and impersonates
  the server (possibly by proxying it) claiming not to support
  TLS. In this manner, the client is confused into operating
  in a plain-text manner with the MitM (with the session possibly
  being proxied in plain-text to the server using the method
  below).

* The MitM hijacks a session and impersonates the client
  (possibly by proxying it) claiming not to support TLS. In
  this manner the server is confused into oeprating in a plain-text
  manner with the MitM (with the session being possibly
  proxied to the server with the method above).

With regard to the first, any client that does not wish
to be subject to potential downgrade attack SHOULD ensure
that if a TLS endpoint is specified by the client, it
ensures that TLS is negotiated prior to sending or
requesting sensitive data. To recap, yhe client MAY send
`NBD_OPT_STARTTLS` at any point during option haggling,
and MAY disconnect the session if `NBD_REP_ACK` is not
provided.

With regard to the second, any server that does not wish
to be subject to a potential downgrade attack SHOULD either
used FORCEDTLS mode, or should force TLS on those exports
it is concerned about using SELECTIVE mode and TLS-only
exports. It is not possible to avoid downgrade attacks
on exports which are may be served either via TLS or
in plain text.

-- 
Alex Bligh