I-D Action:draft-mrex-tls-secure-renegotiation-01.txt
Internet-Drafts@ietf.org Thu, 26 November 2009 01:00 UTC
Return-Path: <root@core3.amsl.com>
X-Original-To: i-d-announce@ietf.org
Delivered-To: i-d-announce@core3.amsl.com
Received: by core3.amsl.com (Postfix, from userid 0) id 83AD43A6848; Wed, 25 Nov 2009 17:00:01 -0800 (PST)
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Subject: I-D Action:draft-mrex-tls-secure-renegotiation-01.txt
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20091126010001.83AD43A6848@core3.amsl.com>
Date: Wed, 25 Nov 2009 17:00:01 -0800
X-BeenThere: i-d-announce@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: internet-drafts@ietf.org
List-Id: Internet Draft Announcements only <i-d-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/i-d-announce>, <mailto:i-d-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i-d-announce>
List-Post: <mailto:i-d-announce@ietf.org>
List-Help: <mailto:i-d-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i-d-announce>, <mailto:i-d-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 01:00:01 -0000
A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Transport Layer Security (TLS) Secure Renegotiation Author(s) : M. Rex Filename : draft-mrex-tls-secure-renegotiation-01.txt Pages : 16 Date : 2009-11-25 A protocol design flaw in the TLS renegotiation handshake leaves all currently implemented protocol version of TLS (SSLv3 to TLSv1.2) vulnerable to Man-in-the-Middle (MitM) attacks where the attacker can establish a TLS session with a server, send crafted application data of his choice to the server and then proxy an unsuspecting client's TLS handshake into the TLS renegotiation handshake of the server. Many applications on top of TLS see the data injected by the attacker and the data sent by the client as a single data stream and assume that an authentication during the TLS renegotiation handshake or contained in the client's application data applies to the entire data stream received through the TLS-protected communication channel. This document describes a protocol change for all protocol versions of TLS plus SSLv3 that will fix this vulnerability for all communication between updated TLS clients and updated TLS servers. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-mrex-tls-secure-renegotiation-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft.
- I-D Action:draft-mrex-tls-secure-renegotiation-01… Internet-Drafts