Pretty soon we're going to see a good chunk of the browsers support TLS 1.2, and that's great. At the same time, all browsers are vulnerable to protocol downgrade attacks, whereby an active MITM can downgrade the connection to SSL 3.
Given that this is not a TLS issue (it already defends against protocol rollback), I feel that HSTS would be a good place to implement a defence. If we have an extension that specifies the maximum TLS version supported by the server, browsers can refuse to downgrade. (If the server chooses to negotiate a lower version on the first connection attempt, well, I guess that that could be acceptable.) Has this been discussed here before? P.S. In researching this topic I also came across Brian Smith having the same idea: https://bugzilla.mozilla.org/show_bug.cgi?id=450280#c21 -- Ivan _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
