Hector Santos <[email protected]> writes: > Alexey Melnikov wrote:
>> I would like suggest an alternative: how about saying >> >> The server MUST NOT trust any information obtained from the client, >> such as command verbs and their arguments, prior to the TLS >> negotiation. The client MUST NOT trust any information obtained from >> the server, such as the list of SMTP service extensions, prior to the >> TLS negotiation. >> >> This avoid the whole issue of what the client/server must and must not >> remember. > > I don't follow the client MUST NOT trust statement. Is it not suppose to > believe what the server presents for extensions? > > S: We supports STARTTLS, AUTH CRAM-MD5 > C: Liar!! No you don't, I don't believe you. > > ?? It's not supposed to trust what the server said before STARTTLS, since everything sent before STARTTLS may have been provided by a man-in-the-middle attacker. It's stronger than just not assuming that the same extensions apply. Even if extensions happen to still be available, trusting the extension return before STARTTLS can permit an attacker to launch a down-negotiation attack, for example. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
