"Because middleboxes have been created and widely deployed that do not allow protocol versions that they do not recognize, the TLS 1.3 session must be disguised as a TLS 1.2 session."
And, from the bottom of my network-protocol-guy's heart, I hate them and everyone who's ever even seen one with the fiery passion of a million very angry suns.
The particular version number (3.3 representing version 1.2) is due to TLS 1.0 being a minor revision of the SSL 3.0 protocol. Therefore TLS 1.0 is numeric version 3.1, TLS 1.1 is version 3.2, and so on.
Talk about versioning schemes bastardized to hell. If people do that to my specs I hope I'm not around to see it.
Summary: constantly make up new protocol "versions". If everything did this, then middleboxes "that do not allow protocol versions that they do not recognize" will never be functional in the first place.
Was explicit version whitelisting ever a legitimate security recommendation? Naively, it seems like a sane defensive measure against unanticipated behavior.
One reasonable thing to do when the remote peer says "I want to speak TLS 8.6" is to say "Oh, I'm afraid we only allow TLS 1.2 here" and insist on talking TLS 1.2 anyway.
But that's not what these boxes did. They go "TLS 8.6! Set Defence Condition One. Attack In Progress! Prepare For Immediate Nuclear Strike!" and they tear down the whole network connection.
They did this with every previous version of TLS. The accepted lesson at this point is that if these idiots CAN break something they will, we don't care whether it's because they're too stupid not to break it or because they're actively assholes breaking things so nobody can have nice things, it doesn't matter.
This is basically the network equivalent of that guy who just shoots anybody he doesn't recognise on his front step. We don't call that "a sane defensive measure" we call it murder, even if he thinks he was just on guard for "unanticipated behaviour" he's going to jail.
The reason for this is to prevent downgrade attacks where an attacker can perform a man-in-the-middle by forcing your client to use an insecure protocol version. It makes sense, even if it occasionally breaks websites.
Preventing downgrade attacks could be done by blacklisting known-bad versions, no?
Assuming all future versions are bad leads to situations like this, where TLS 1.3 (and presumably all future versions) have to tunnel through a pseudo-TLS 1.2 connection.
Again, assuming all future versions are bad is _fine_ if that's what you want to do.
Responding to a peer that says "I know TLS 1.3" with "Too bad, we're talking TLS 1.2" was and is entirely in obedience with the specifications. As far as I know _every_ major middlebox on the market today now does this in their latest versions, most of them advertised this as "TLS 1.3 now supported"‡
But for "security" vendors silently being secure doesn't sell products, they would rather have an alarm "TLS Protocol Attack prevented!" and block the connection. Doesn't make you any safer, but that was never their priority. It's also easier for them to do than correctly implementing the protocol.
‡ In much the same way that "HD Ready" televisions "supported" High Definition television. In that you couldn't watch HD TV on those televisions, but hey, it was "supported"... those televisions existed in the same universe where HD TV existed. Likewise, modern Cisco or Palo Alto Networks middleboxes "support" TLS 1.3 by saying they want to talk TLS 1.2 instead...
That makes no sense, you can very well just say you don't support the version instead of immediately terminating the connection. Same security but it doesn't break the protocol.
It's designed so that connections that can't be MITM'd (and thus could be assumed to be infiltrating malware/exfiltrating information, since the contents are not visible) are blocked. Fail closed instead of fail open, basically.
Load balancers, IDS systems, traffic analysis, bad firewalls, content filtering systems, transparent proxies, some kinds of "intelligent switches", consumer routers with AV capabilities. Also anything sold by Blue Coat.
IDP's / IPS's, firewalls that need to inspect payload, MitM Proxies such as Bluecoat, Websense, etc.., network appliances that create layer-7 flow data for debugging applications such as TrueSight and many more.
Most big companies have contractual requirements to have an IPS/IDP to protect their customers. TLS1.3 means putting the decryption at the edge, which not everyone has done, then re-encrypting with something their IDP can decrypt.
I visited an infosec trade show recently, you wouldn't believe how many of these boxes are offered to 'improve' corporate security... Most of these boxes will break security chains, spoof DNS responses, require self-signed certs, etc. It's garbage.
Kinda reminded me of 'the box' from the Silicon Valley TV-show. I guess corporate managers will prefer something tangible over actual good practices.
I encountered an interesting one at $bigcorp which required everyone in the corp to install shady certificates, and which would then inject <script> tags in all HTTP responses, including in XML and JSON REST responses. That was fun to debug.
It's pretty common for these devices to require you to install their generated CA cert on every machine in the corporation. Administrators deploy it to the domain with a group policy object IIRC.
Firefox users end up having to install it by hand, or else every website comes up as "you are being attacked by a MITM!!!!", which is technically true.
Sadly this also puts laptop users in the situation that they always need to vpn to the office otherwise sites that use HSTS will break either when on or outside the corporate networks, depending on when you visited the site first.
Okay. Does that also hold when only the CA is installed? On my machine both Safari and Chrome prevent loading google and stackoverflow because when accessing them through the corporate proxy I get a certificate which is signed by the corporate inspection gateway ca.
And, from the bottom of my network-protocol-guy's heart, I hate them and everyone who's ever even seen one with the fiery passion of a million very angry suns.