[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: safe renegotiation bug?
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: safe renegotiation bug? |
Date: |
Fri, 28 May 2010 10:05:40 +0200 |
User-agent: |
Thunderbird 2.0.0.24 (X11/20100411) |
Simon Josefsson wrote:
>>> The client by default permits connections, but I don't think clients
>>> should (by default) allow renegotiation against such servers.
>> Why?
>
> To me it was more that I couldn't answer 'Why not?'. I'm not sure what
> the balance should be. We already decided that (by default) we can't
> disable everything we know is insecure due to interop, so decisions
> whether to enable/disable other things by default is subjective.
>
> NSS does not allow upgraded clients to renegotiate with unupgraded
> servers, see: https://developer.mozilla.org/NSS_3.12.6_release_notes
I do not believe this is a threat since you have already connected to
the server and anyway he can do whatever he wants (he can do mitm with
any other place he chooses even if you do support safe renegotiation).
Anyway I would not object if you add this, I really see it very minor
issue. For me if it proves to be a problem it could be fixed a minor
release. The current stable version of gnutls does not support any kind
of renegotiation protection and this is much worse.
regards,
Nikos
- safe renegotiation bug?, Simon Josefsson, 2010/05/22
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/22
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/22
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/22
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/28
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/28
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/28
- Re: safe renegotiation bug?, Tomas Mraz, 2010/05/28
- Re: safe renegotiation bug?,
Nikos Mavrogiannopoulos <=
- Re: safe renegotiation bug?, Tomas Mraz, 2010/05/28
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/28
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/31
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/31
- Re: safe renegotiation bug?, Simon Josefsson, 2010/05/31
- Re: safe renegotiation bug?, Nikos Mavrogiannopoulos, 2010/05/31