Re: [TLS] Need for S->C signaling

To: Nasko Oskov <noskov at microsoft.com>, "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] Need for S->C signaling
From: Stefan Santesson <stefan at aaa-sec.com>
Date: Thu, 19 Nov 2009 22:09:10 +0100
Delivered-to: tls at core3.amsl.com
In-reply-to: <B197003731D4874CA41DE7B446BBA3E829CD28D4 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Thread-index: Acpo9KyRPgf2+uHuMUmsQXxOU+h1aAAOJkXwAAvQ/Q0=
Thread-topic: [TLS] Need for S->C signaling
User-agent: Microsoft-Entourage/12.23.0.091001

Thanks Nasko,

This is indeed a good reason.

/Stefan


On 09-11-19 4:32 PM, "Nasko Oskov" <noskov at microsoft.com> wrote:

> Stefan Santesson wrote:
>> Just a question to make sure we have accurately exhausted this aspect.
>> 
>> Is it really necessary for the Server to signal that is is patched other than
>> using a modified finished calculation if it is patched/upgraded.
> 
> Yes. If you use the finished message, the attack is still possible.
> 
>> One scenario could be:
>> 
>> 1) Client use the magic cipher suite to signal that it is patched/upgraded.
>> 2) Client sends a normal finished message.
>> 3a) Un-patched server replies with normal finished message.
>> 3b) Patched server replies with upgraded finished message.
>> 
>> This way the client could determine whether the server is patched or not
>> and act accordingly and get the security context of renegotiate from the
>> patched server.
> 
> Once the server replies with the Finished message, it would move to
> connected state and the HTTP stack is clear to execute the MiTM request. As
> part of developing proof of concept for our own testing, I've observed that
> connecting to IIS server will send the server CCS, Finished, App data.
> Even if the client were to drop the connection, the request has been
> executed and attack is carried out.
> 
>> There are probably reasons why this is not a good idea. I'm just not really
>> sure what they are.
> 
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Need for S->C signaling
  - From: Nasko Oskov

Prev by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] Need for S->C signaling
Next by thread: Re: [TLS] Need for S->C signaling
Index(es):
- Date
- Thread

Re: [TLS] Need for S->C signaling

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.