Hi Richard,
Please see in-line.
Thanks,
Yaron
On 10/16/2014 04:50 AM, Richard Barnes wrote:
Richard Barnes has entered the following ballot position for
draft-ietf-uta-tls-attacks-04: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-uta-tls-attacks/
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
It might be useful to note that SSL stripping is a flavor of downgrade
attack. Likewise, it could be worth noting in this section or Section
2.2 that STARTTLS is very vulnerable to downgrade without some sort of
HSTS-like mechanism. For example, there's some recent evidence of
downgrade attacks on mail protocols.
Downgrade in general could use more attention. The IETF can fix things
in newer versions of the protocol, but if the client and server can't
negotiate that version, it's all for naught.
https://www.techdirt.com/blog/netneutrality/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml
Agree on the above and thanks for the link. It is scary indeed that ISPs
actively MITM SMTP traffic to prevent opportunistic encryption from
taking place.
Given the news about POODLE this week, I would suggest changing Section
2.4 to be "Padding Oracle Attacks", and adding POODLE there.
We will look into this, I'm still not sure where to fit the new dog.
I'm surprised not to see some mention of Heartbleed in Section 2.13.
Good idea.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
