On 25.06.2018 13:40, Mark Rotteveel wrote:
On 25-6-2018 10:35, Alex Peshkoff via Firebird-devel wrote:
On 25.06.2018 10:47, Mark Rotteveel wrote:
On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote:
Because it's bad idea to open to client (specially not authenticated)
details of problems with authentication.
I agree with that in general, but in this specific case I don't see
the need for that. Communicating about a mismatch in plugins between
server and client is not a risk
Afraid you are wrong here. It helps an attacker to detect what plugin
is actually used by server (for example - srp or srp256) and use that
info to attack particular plugin later.
That argument doesn't make much sense to me. If an attacker wants to
probe which plugins a server supports, then they can try to connect
with a client that passes all known plugins in CNCT_plugin_list, the
server is then happy to announce all plugins it supports in
p_acpt_keys. That only wouldn't work if the server is using an unknown
or obscure third-party plugin (although maybe leaving out
CNCT_plugin_list would still lead to the server announcing the list,
not sure?).
A subsequent 'attack' could then focus on the assumed vulnerable plugin.
In other words, communicating that there is no overlap between plugins
requested by client and supported server in itself does not leak
important information, but it does simplify troubleshooting for the
user without having to access the Firebird log file.
OK, this particular message may be passed to client side. Add a ticket
please.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
