On Fri, 09 Dec 2011 19:54:31 +0100, Eric Rescorla <[email protected]> wrote:
Unfortunately, many servers do not support TLS 1.1, and to make matters
worse, they do so in a way that is not securely verifiable. By which I
mean that an active attacker can force a client/server pair both of
which support TLS 1.1 down to TLS 1.0. This may be detectable in some
way, but not
by TLS's built-in mechanisms. And since the threat model here is an
active attacker, this is a problem.
It seems user agents are addressing this issue in general by simply
removing support for those servers so we might not have to define anything
here and just leave it to the TLS standards:
http://my.opera.com/securitygroup/blog/2011/12/11/opera-11-60-and-new-problems-with-some-secure-servers
--
Anne van Kesteren
http://annevankesteren.nl/
