Re: [Uta] I-D Action: draft-ietf-uta-tls-attacks-01.txt

Tue, 29 Jul 2014 08:41:23 -0700 

Hi John,

Thanks for your review. Please see responses inline.

On 07/24/2014 08:25 PM, John Mattsson wrote:

I reviewed "draft-ietf-uta-tls-attacks-01■ (I have not read the recent
review comments on the list). Some comments:

- General
The title is "Summarizing Current Attacks on TLS and DTLS" but there is no
section on
Attacks on DTLS. This needs to be fixed.

Either you make two separate sections or you need to describe which
attacks apply to
TLS vs DTLS. All of the attacks in Section 2 does not work on DTLS, e.g.
BEAST.
Personally, I don't have the precise information on which attacks do and which do not apply to DTLS. Also, I think the WG interest in DTLS is very low. So unless we hear strong objections, I suggest to remove DTLS from the draft. 




- Section 1
"generic and protocol-specific recommendation for the use of TLS and DTLS."
Shouldn't this be "recommendations"


- Section 2.1
This section is very HTTP focused. Is "SSL Stripping" really a good
general term for
"Various attacks attempt to remove the use of SSL/TLS altogether", and was
Moxie really
first with MITM attacks blocking access TLS forcing users to use plaintext?
I personally like the name, it is short and to the point. I suppose the term (rather than the general idea) was coined by Moxie, and I would gladly replace it by an earlier reference if you can suggest one. 



- Section 2.4
"2^26 sessions or 13x2^30" -> "2^26 sessions or 2^33.7"

"As a result, RC4 can no longer be seen as providing a sufficient level of
security for TLS sessions."
Should there be recommendations in this document?


- Section 2.5
"cookies" -> "HTTP cookies"

I would recommend to write "TLS level" instead of "protocol-level" and
"protocol level"

Delete ", as recommended below."


- Section 2.6
"is only mitigated by TLS 1.1.■ -> "was not mitigated before TLS 1.1■ or
something similar.


- Section 2.7
I think you should write out "MITM" -> "Man-in-the-Middle"


Cheers,


John





_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta



_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta

Reply via email to