On Sun, Nov 08, 2009 at 01:08:54PM -0500, Perry E. Metzger wrote:
> I'll point out that in the midst of several current discussions, the
> news of the TLS protocol bug has gone almost unnoticed, even though it
> is by far the most interesting news of recent months.
Not entirely unnoticed:
http://www.porcupine.org/postfix-mirror/wip.html#tls-renegotiation
For HTTPS, it has been observed that this is not entirely different
from existing CSRF attacks, but it should be noted that with the new
attack, checking "Referrer" headers is no longer effective, so anti-CSRF
defenses have to be more sophisticated (they *should* of course be more
sophisticated, but they rarely are, if they are present at all).
I am looking forward to analyses for other protocols.
There is almost certainly a problem for FTP (over TLS), where just
banning re-negotiation on the server is perhaps reasonable.
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
