TLS break

Tom Weinstein tweinst at
Tue Nov 10 17:45:43 EST 2009

Perry E. Metzger wrote:
> I'll point out that in the midst of several current discussions, the
> news of the TLS protocol bug has gone almost unnoticed, even though it
> is by far the most interesting news of recent months.

Perhaps because there have been so many false alarms over the years. 
Usually when I hear about an SSL MITM attack, it's really a browser UI 
spoofing attack with a bogus cert.

This is the first attack against TLS that I consider to be the real 
deal. To really fix it is going to require a change to all affected 
clients and servers. Fortunately, Eric Rescorla has a protocol extension 
that appears to do the job.

Give a man a fire and he's warm for a day, but set | Tom Weinstein
him on fire and he's warm for the rest of his life.| tweinst at

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list