On 25-6-2018 10:35, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
Because it's bad idea to open to client (specially not authenticated)
details of problems with authentication.
I agree with that in general, but in this specific case I don't see
the need for that. Communicating about a mismatch in plugins between
server and client is not a risk
Afraid you are wrong here. It helps an attacker to detect what plugin is
actually used by server (for example - srp or srp256) and use that info
to attack particular plugin later.
That argument doesn't make much sense to me. If an attacker wants to
probe which plugins a server supports, then they can try to connect with
a client that passes all known plugins in CNCT_plugin_list, the server
is then happy to announce all plugins it supports in p_acpt_keys. That
only wouldn't work if the server is using an unknown or obscure
third-party plugin (although maybe leaving out CNCT_plugin_list would
still lead to the server announcing the list, not sure?).
A subsequent 'attack' could then focus on the assumed vulnerable plugin.
In other words, communicating that there is no overlap between plugins
requested by client and supported server in itself does not leak
important information, but it does simplify troubleshooting for the user
without having to access the Firebird log file.
Mark
--
Mark Rotteveel
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
