I reviewed "draft-ietf-uta-tls-attacks-01” (I have not read the recent review comments on the list). Some comments:
- General The title is "Summarizing Current Attacks on TLS and DTLS" but there is no section on Attacks on DTLS. This needs to be fixed. Either you make two separate sections or you need to describe which attacks apply to TLS vs DTLS. All of the attacks in Section 2 does not work on DTLS, e.g. BEAST. - Section 1 "generic and protocol-specific recommendation for the use of TLS and DTLS." Shouldn't this be "recommendations" - Section 2.1 This section is very HTTP focused. Is "SSL Stripping" really a good general term for "Various attacks attempt to remove the use of SSL/TLS altogether", and was Moxie really first with MITM attacks blocking access TLS forcing users to use plaintext? - Section 2.4 "2^26 sessions or 13x2^30" -> "2^26 sessions or 2^33.7" "As a result, RC4 can no longer be seen as providing a sufficient level of security for TLS sessions." Should there be recommendations in this document? - Section 2.5 "cookies" -> "HTTP cookies" I would recommend to write "TLS level" instead of "protocol-level" and "protocol level" Delete ", as recommended below." - Section 2.6 "is only mitigated by TLS 1.1.” -> "was not mitigated before TLS 1.1” or something similar. - Section 2.7 I think you should write out "MITM" -> "Man-in-the-Middle" Cheers, John > _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
