 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
On Nov 9, 2009, at 3:45 PM, Marsh Ray wrote:
Yair Elharrar wrote:The proposed draft is intended to resolve an MITM attack scenario, but is the new extension tamper-resistant? Since the MITM handles all traffic between the real client and real server, it could add a fake extension to the 2nd ClientHello with its original verify_data, and empty the returned extension in the ServerHello.A valid concern, which I believe is addressed by the fact that the'Finished' message in TLS contains a MAC which covers extensions presenton the Client and Server Hellos. IIRC, earlier SSLs did not cover extensions with a MAC.
I think SSLv3 did not allow for client extensions at all, and TLSv1.0 already covered everything.
In addition, until such time that all clients in the world start supporting this extension (e.g. kiosks in airports), servers will have to support backward compatibility.It will be a trade-off for each server admin to weigh and decide their policy. I suspect many admins will prefer not to allow insecure connections from unpatched airport kiosks.
I suspect you have a way too optimistic view of administrators. Currently exactly 0% of browsers are patched. It will be years before even 50% or browsers are patched.
Yoav
Attachment:
smime.p7s
Description: S/MIME cryptographic signature