Re: [TLS] TLS or HTTP issue?

Florian Weimer <fweimer@bfk.de> Mon, 09 November 2009 07:41 UTC

Return-Path: <fweimer@bfk.de>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE1623A6AF7 for <tls@core3.amsl.com>; Sun, 8 Nov 2009 23:41:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.082
X-Spam-Level:
X-Spam-Status: No, score=-2.082 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gkBQeULS6JDR for <tls@core3.amsl.com>; Sun, 8 Nov 2009 23:41:34 -0800 (PST)
Received: from mx01.bfk.de (mx01.bfk.de [193.227.124.2]) by core3.amsl.com (Postfix) with ESMTP id DB6493A6A1B for <tls@ietf.org>; Sun, 8 Nov 2009 23:41:32 -0800 (PST)
Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1N7Osk-00082w-9g; Mon, 09 Nov 2009 08:41:46 +0100
Received: by bfk.de with local id 1N7Osk-0002ff-4P; Mon, 09 Nov 2009 07:41:46 +0000
To: Dean Anderson <dean@av8.com>
References: <Pine.LNX.4.44.0911061713270.5276-100000@citation2.av8.net>
From: Florian Weimer <fweimer@bfk.de>
Date: Mon, 09 Nov 2009 07:41:46 +0000
In-Reply-To: <Pine.LNX.4.44.0911061713270.5276-100000@citation2.av8.net> (Dean Anderson's message of "Fri\, 6 Nov 2009 17\:29\:23 -0500 \(EST\)")
Message-ID: <82639kta9x.fsf@mid.bfk.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS or HTTP issue?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 07:41:34 -0000

* Dean Anderson:

>> Theoretically, this attack can be detected by the server,
>
> Theoretically, I think not.

I was referring to the sketched attack in the previous paragraph.  In
our case, the server could notice the changed client certificate in
the renegotiation and bail out, or disable renegotiation altogether.

-- 
Florian Weimer                <fweimer@bfk.de>;
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra├če 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99