On 5 Apr 2016, at 18:17, Wouter Verhelst <[email protected]> wrote: > On Tue, Apr 05, 2016 at 04:56:28PM +0100, Alex Bligh wrote: >> What I presumed was the reason was that the client could try >> selecting disk 'foo' prior to the TLS, but a man-in-the-middle >> could (whilst cleverly hijacking the TCP session) change this >> to a select of disk 'bar' (which might be his own and laden >> with malware). > > That was (more or less) the idea, yes. Data sent over the wire in the > clear should *not* be able to poison an encrypted connection later on, > even if it is done in the same TCP session.
This is in general a really good reason to drop keeping state server side (as you suggested in your other mail re this specific case). -- Alex Bligh ------------------------------------------------------------------------------ _______________________________________________ Nbd-general mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nbd-general
