Maxim Dounin writes: > While talking about "often" - do you have any stats? Anyway, this is > quite a differenet from "all client cert-powered apps" you stated in your > previous message.
IIS defaults to renegotiation when doing client cert auth, and Apache certainly can (possibly must? I don't know) work this way as well. See Ray and Dispensa's original paper. http://extendedsubset.com/Renegotiating_TLS.pdf """In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications.""" So, sure; "all" is an exaggeration, but it's much less wrong than "rarely used". > - not patching is not an option as it leaves unsecure much more > installations. Patching/not patching is not always a black and white question whose answer is always "yes". The question is far more gray when the patch breaks protocol compat with a major protocol feature. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
