Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: David-Sarah Hopwood <david-sarah at jacaranda.org>, "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Yair Elharrar <Yair.Elharrar at audiocodes.com>
Date: Mon, 9 Nov 2009 21:47:42 +0200
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF86EDF.3090004 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803 at extendedsubset.com>, <4AF86EDF.3090004 at jacaranda.org>
Thread-index: Acphc9u7eUplOF1gQveGv8D+g/1dggAAHVlE
Thread-topic: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

David-Sarah Hopwood wrote:
>Marsh Ray wrote:
>> Yair Elharrar wrote:
>>> In addition, until such time that all clients in the world start
>>> supporting this extension (e.g. kiosks in airports), servers will
>>> have to support backward compatibility.
>>
>> It will be a trade-off for each server admin to weigh and decide their
>> policy. I suspect many admins will prefer not to allow insecure
>> connections from unpatched airport kiosks.
>
> To prevent this attack, they don't have to disallow connections, only
> renegotiations in which the extension is not used.
>

That's a very good point. Perhaps the draft could be changed to reflect that?
I can't see any reason why an airport kiosk would need to renegotiate an HTTPS connection (these devices rarely have client certificates installed); however it should be allowed to connect to secure web sites.

           Yair

--

This email and any files transmitted with it are confidential material. They are intended solely for the use of the designated individual or entity to whom they are addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful.

If you have received this email in error please immediately notify the sender and delete or destroy any copy of this message

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray

References:
- [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.