Turns out tls-unique is *additionally* broken by https://www.mitls.org/pages/attacks/SLOTH found a few months after the release of RFC7627 that tried to fix it:
> If your TLS application relies on the tls-unique channel binding to prevent > credential forwarding, you need to redesign your application. > Our attack on the tls-unique channel binding affects application-level > protocols that rely on this channel binding to prevent credential forwarding > attacks. In general, all uses of tls-unique are suspect, but the following > are known to be specifically affected: > * SCRAM is used in SASL and GSSAPI and relies on tls-unique for channel > binding. SCRAM is the default authentication protocol for XMPP.
_______________________________________________ Standards mailing list -- [email protected] To unsubscribe send an email to [email protected]
