On Mon, Sep 26, 2011 at 9:32 AM, ianG <[email protected]> wrote: >> How about that attack on TLS 1.0 CBC IV chaining? Pretty fun. > > I'm guessing this attack is mitigated by use of client cert logins?
If the server app checks for client certs, yes, because the attacker can't use the stolen cookies. (Note that Dirk B.'s proposal for channel binding cookies to ephemeral per-origin client certs has the same effect.) Another interesting thing we could do in general (and which would have made BEAST much less interesting) would be to have more "types" of cookies. Suppose sites set two types of cookies, one of which is never to be present in cross-site requests. Then this attack would not recover one type of cookie (unless the user, or a legitimate script on the target site were doing many same-origin requests). Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
