[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
TLS Renegotiation problem
From: |
Simon Josefsson |
Subject: |
TLS Renegotiation problem |
Date: |
Mon, 09 Nov 2009 16:19:50 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux) |
As you may have heard, people how found out how to attack TLS as used in
many application protocols. For more info see:
http://www.ietf.org/id/draft-rescorla-tls-renegotiation-00.txt
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
http://extendedsubset.com/
http://www.imperialviolet.org/2009/11/05/tls-reneg.html
It is important to understand that you are not vulnerable unless you use
renegotiation, which is not typical. If you use renegotiation, perhaps
to request client certificates in a web server, the simplest "fix" is to
disable any use of renegotiation. You don't need to do this if your
application protocol is robust -- for example XMPP/Jabber appears to be
robust against the problem. HTTPS is not robust.
There is work ongoing to specify a new extension to make TLS
renegotiation safe against this attack, and hopefully GnuTLS will
support it soon. Patches have been published in
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3944 but
not yet tested or verified, and the IETF/IANA has not allocated a TLS
extension number for it yet either.
/Simon
- TLS Renegotiation problem,
Simon Josefsson <=
- Re: TLS Renegotiation problem, Daniel Kahn Gillmor, 2009/11/09
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Tomas Hoger, 2009/11/12
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Tomas Hoger, 2009/11/10
- Re: TLS Renegotiation problem, Steve Dispensa, 2009/11/10
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Simon Josefsson, 2009/11/10
- Re: TLS Renegotiation problem, Florian Weimer, 2009/11/10