[Cryptography] Vulnerability found in badly broken email apps that use PGP and S/MIME
Viktor Dukhovni
cryptography at dukhovni.org
Fri May 18 22:35:03 EDT 2018
> On May 18, 2018, at 8:44 PM, Ondrej Mikle <ondrej.mikle at gmail.com> wrote:
>
> BTW does anyone know what would happen if you "curl https://url.somewhere |
> bash" if the stream was large and output (deliberately) corrupted? (I am not
> saying that it is a good idea to use curl to pipe to bash, but a lot of people
> got used to thinking that since it's https, it's OK - but I don't know what
> actually happens when the integrity check fails).
TLS does not return unverified data, TLS data is broken up into
records, and each record is verified before it is given to the
application. This is the only way to handle stream integrity,
you have to break the stream into chunks, authenticate the
chunks, and ensure that reordering is not possible by including
the chunk number or offset in the MAC.
--
Viktor.
More information about the cryptography
mailing list