> On Apr 30, 2019, at 12:21 PM, Michael Wojcik <michael.woj...@microfocus.com>
> wrote:
>
>> From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Felipe
>> Gasper <fel...@felipegasper.com>
>> Sent: Tuesday, April 30, 2019 11:06
>
>> My question is, does TLS allow a client to be _able_ to parse an incomplete
>> message?
>> Or is it that only the entire message can be decoded?
>
> TLS doesn't have the concept of a "message". It has records. Application data
> from the peer may occupy one or more records.
>
> If a record can't be received completely, while it might be possible to
> decrypt the partial content (or, depending on cipher type and chaining mode,
> all but the last cipher block received), it wouldn't be possible to
> authenticate the data. Thus you'd fall prey to Moxie Marlinspike's
> Cryptography Doom Principle. Except in unusual circumstances (e.g. attacking
> the peer, or forensics) you Don't Want To Do That.
>
> Consider that if you're using a stream cipher, or a block cipher in a
> streaming mode such as GCM, that an attacker can 1) tamper with the
> application data in a record by bit-flipping, then 2) abort the conversation
> by forging an RST or similar, cutting the tampered block short. If the
> receiver attempts to act on the data in the partial block, the attack
> succeeds.
>
> Even just attempting to decrypt and log the partial data could be dangerous,
> for example if the log is later displayed using a web-based tool that has an
> XSS vulnerability, or some sort of binary parser with an exploitable overflow
> (e.g. a buggy Wireshark dissector).
Ah, ok, that makes sense. Thank you for your response!
-FG
