Re: [TLS] simplistic renego protection
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TLS] simplistic renego protection
Nelson B Bolyard wrote:
> On 2009-11-19 11:20 PST, David-Sarah Hopwood wrote:
>> David-Sarah Hopwood wrote:
>>> Nasko Oskov wrote:
>
>>>> If the MiTM sends a client hello to the server that has no extension,
>>>> then the server has no way to drop the connection. This will require
>>>> a strict server to prevent the attack and strict server config will
>>>> not be reality for a long time. What am I missing?
>>>
>>> That, in the RI approach, strict server config is essential from the
>>> start.
>>
>> Point of clarification: "strict server" here means that the server does
>> not accept *renegotiations* with an unpatched client. It still accepts
>> initial handshakes.
>
> If that is a "strict server", then what is a "lenient server"?
> Is it a vulnerable server?
A server that does accept initial handshakes with an unpatched client
(which obviously makes it vulnerable in that case). However, a lenient
server, unlike an unpatched server, will detect an attack on connections
with a patched client.
I believe this is not enough to consider the server to have been "fixed",
and I think it's a bad idea to end up with a subset of servers that
appear to be patched, but are still vulnerable on some connections.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
Attachment:
signature.asc
Description: OpenPGP digital signature
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
