Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)

To: Nikos Mavrogiannopoulos <nmav at gnutls.org>
Subject: Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Fri, 6 Nov 2009 11:23:23 -0600
Cc: Eric Rescorla <ekr at rtfm.com>, "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF33D07.7040100 at gnutls.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3 at rtfm.com> <4AF33D07.7040100 at gnutls.org>
User-agent: Mutt/1.5.7i

This vulnerability will affect different application protocols
differently.  It certainly affects HTTP.  I think LDAP may not be
susceptible, but I'm not sure; I'm even less sure about IMAP.  Others
have indicated that there definitely exist other applications besides
HTTP which do suffer from this vulnerability though, and that's the key:
of course there may be more than one application protocol that is made
vulnerable by this TLS problem.

We must fix this problem in TLS itself.  The fix may require changes to
some applications, depending not so much on the protocol as on the TLS
API used.

Nico
--

Follow-Ups:
- Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
  - From: Chris Newman
- Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
  - From: Nathaniel W Filardo

References:
- [TLS] TLS renegotiation issue
  - From: Eric Rescorla
- [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
  - From: Nikos Mavrogiannopoulos

Prev by Date: Re: [TLS] TLS or HTTP issue?
Next by Date: Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
Previous by thread: Re: [TLS] TLS or HTTP issue?
Next by thread: Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)
Index(es):
- Date
- Thread

Re: [TLS] TLS or HTTP issue? (was: TLS renegotiation issue)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.