Andrzej Kuku??a:
> On Mon, Nov 9, 2009 at 02:29, Wietse Venema <wie...@porcupine.org> wrote:
> > Last week there was big news about a security hole in the TLS
> > protocol that allows a man-in-the-middle to prepend data to a
> > fully-secure TLS session.
>
> Thank you both gentlemen for your hard work on this. I've got possibly
> lame question. I assume STARTTLS is affected, but is also 'wrapper
> mode' vulnerable to this attack? I mean the mode in which client and
> server immediately estabilish encrypted channel, before issuing any
> SMTP command.
It was left as an exercise for the reader.
- At the top of the attack diagram, delete the plaintext phase (the
"SMTP 220 welcome", "SMTP hello" and "SMTP starttls" command and
reply boxes).
- Insert "SMTP 220 welcome" as the first server response after the
renegotiation TLS handshake.
This attack works when the server's TLS engine renegotiates the
session before it encrypts the server's "SMTP 220 welcome".
In the Postfix SMTP server, wrappermode would not be affected for
the same reason that Postfix SMTP server STARTTLS is not affected.
Also, the same SMTP client defenses apply for detecting server
replies that are sent too soon.
Wietse
