On 6/23/22 4:33 PM, Martin Thomson wrote:
Hi Peter,
This looks good overall.
Do you need the (e.g., example.com) parentheticals? They don't seem to add
anything.
True.
On Fri, Jun 24, 2022, at 07:03, Peter Saint-Andre wrote:
1. Deployments in which multiple services handle the same domain name
(e.g., foo.example.org) via different protocols (e.g., HTTP and IMAP).
In this case an attacker might be able to direct a connecting endpoint
to the service offering a protocol that provides weaker security or that
is more easily exploitable (see [ALPACA] for more detailed information
about this class of attacks).
The attack in question isn't so much about weaker security (that's true, but a
little abstract), so I might instead say:
In this case an attacker might be able to direct a connecting endpoint
to the service offering a different protocol and mount a cross-protocol
attack. In a cross-protocol attack, the client and server believe they are
using different protocols, which the attacker might exploit if messages
sent in one protocol are interpreted as messages in the other protocol
with undesirable effects (see [ALPACA] for more detailed information
about this class of attacks).
That's much improved, thanks.
Peter
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
