TLS break

Victor Duchovni Victor.Duchovni at morganstanley.com
Mon Nov 9 20:08:23 EST 2009


On Sun, Nov 08, 2009 at 01:08:54PM -0500, Perry E. Metzger wrote:

> I'll point out that in the midst of several current discussions, the
> news of the TLS protocol bug has gone almost unnoticed, even though it
> is by far the most interesting news of recent months.

Not entirely unnoticed:

    http://www.porcupine.org/postfix-mirror/wip.html#tls-renegotiation

For HTTPS, it has been observed that this is not entirely different
from existing CSRF attacks, but it should be noted that with the new
attack, checking "Referrer" headers is no longer effective, so anti-CSRF
defenses have to be more sophisticated (they *should* of course be more
sophisticated, but they rarely are, if they are present at all).

I am looking forward to analyses for other protocols.

There is almost certainly a problem for FTP (over TLS), where just
banning re-negotiation on the server is perhaps reasonable.

-- 
	Viktor.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list