IETF Logo Mail Archive

Re: [TLS] Fingerprinting weaknesses (was: The risk of misconfiguration)

Alyssa Rowan <akr@akr.io> Wed, 07 May 2014 19:04 UTC

Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0818E1A0362 for <tls@ietfa.amsl.com>; Wed, 7 May 2014 12:04:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oiFvOyJo3dlb for <tls@ietfa.amsl.com>; Wed, 7 May 2014 12:04:16 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) by ietfa.amsl.com (Postfix) with ESMTP id 6A09F1A0298 for <tls@ietf.org>; Wed, 7 May 2014 12:04:16 -0700 (PDT)
Message-ID: <536A83A2.3070701@akr.io>
Date: Wed, 07 May 2014 20:04:02 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com> <CAK3OfOgYr7d88iuxhXZcos55ymg0i_Q_GHNcXB+w7GRUaEj0bw@mail.gmail.com> <536A67D9.2070302@pobox.com> <CAK3OfOjTehkbKMg40_ZXGXOVjyHHY7UrxLmpyr7Mz00rRo+RLQ@mail.gmail.com> <536A6F8C.7020702@akr.io> <20140507181651.GX27883@mournblade.imrryr.org> <536A7AAE.9030801@akr.io> <20140507184748.GY27883@mournblade.imrryr.org>
In-Reply-To: <20140507184748.GY27883@mournblade.imrryr.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ryE1Vn7feJwrCzs1LMv-2dcuyVQ
Subject: Re: [TLS] Fingerprinting weaknesses (was: The risk of misconfiguration)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 19:04:18 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 07/05/2014 19:47, Viktor Dukhovni wrote:

> This is not a compelling reason to remove protocol capabilities.

I think that they are insecure _is_ a compelling reason: we seem
simply to disagree on that point.

More interestingly:

> Cipher-suite signalling is just one of many ways that Mallory can
> determine which clients she can attack undetected.

I wonder, what other ways are there; and how can we stop them, too?

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTaoOiAAoJEOyEjtkWi2t62/oQAJxVClVxEEZI5xLczaN5pDEN
aXZXRwQeXxjA00up/5brurTweXhVvocg43XprsMHf9S/zw+V3TgeaqSejKWjduZR
nIS1cRXfxdhaOWrnEHFeZcPRNGUFLzgq5nlt4/jRWsl475XCExdcSfbuFGgG27mr
BKLWcxc+N0W3ZNLdz8LRJk1y+NRd9vNGHW9j2i+pYOo2eBYS91dADlS/YavnDQOz
P6SQv/OPEfYWscaejWiC/1dgMx2OplSMzk5vAuNmnoRTJyMSoakUBDqYdxH1UxQ1
cOWjGiIE+bTAfe0rUQ7xVkMiBGuwthuX3tuRH+p5Y27z2pEKk47sYZ5ExSh7BS6V
4wlEUirfgNyuULrckCiridXK7RVU33Nw/WD234+w30GDL+ExGX3qTi1/mNMlHH8C
hPzkCAOjkc+HJVfAqqlrW4EQvGMLx9FdjCD2wgJ6yslTYL8AmTmOrS3AMRGLL+pu
Bop8tHxa+LCf8kEOlMkBzJQ0KmeYyQaKd2CunCl45cYiyNlL1mURlKe/NrXChmKP
IptNwbwIQGXQ0xz8x+0+FSs9/48NyLNtZddbtor0Od/YkzwR0YtKRCW6HDTa4ajg
Z1qsBuDpsacOxj4iXYKo2vV7RGJImxQ6yIEQdsHgGeSxLW3Kgsg7fpAOwUW6F93d
LI7e/RyQooysl5kJ/MTx
=czh+
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email