2

I'm not sure, I can tell the purpose of a TLS_FALLBACK_SCSV. Can it prevent any attack that the finished-message can't?

As far as I understand, the FIN message acts as an authentication code that stops active attackers from dropping protocol versions from the Hello message. What other vulnerabilities does the TLS_FALLBACK_SCSV fix?

Thanks in advance

user140672
  • 23
  • 2

1 Answers1

2

A typical behavior of tolerant TLS clients (i.e. browsers) is that they first try a connection with the best TLS protocol version they can. If this fails because of handshake errors, close of the server or similar strange errors they will retry again with a lower TLS protocol version in the hope that they deal with a buggy server which can only properly deal with lower TLS versions.

Since this behavior could be misused by an active man in the middle to enforce a downgrade to a lower and less secure TLS version in order to make use of possible insecurities in this version. Therefore modern clients either don't do such downgrade any longer or they add the TLS_FALLBACK_SCSV pseudo cipher to signal that this is not the best protocol version they could offer. A server which understands this pseudo cipher can thus detect if some man in the middle attempted a TLS version downgrade.

A finished message will not help in this scenario because it will detect modifications of the current handshake but not TLS downgrade because of a connection close inside the handshake which was caused by a man in the middle.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424