[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: safe renegotiation in client side
From: |
Tomas Mraz |
Subject: |
Re: safe renegotiation in client side |
Date: |
Mon, 15 Mar 2010 23:59:55 +0100 |
On Mon, 2010-03-15 at 23:38 +0100, Simon Josefsson wrote:
> Nikos Mavrogiannopoulos <address@hidden> writes:
>
> > I have been in favor of enabling safe renegotiation for the client
> > before, but seeing how gnutls is being used today, I might have not been
> > correct and enabling it might cause more trouble than the issue it solves.
>
> I just had a thought, it may be wrong due to late at night...
>
> Using safe renegotiation is only important if the client provides
> credentials, right?
>
> It sounds as if in your testing, GnuTLS clients were unable to talk to
> any server, even if the clients didn't provide a client certificate. Is
> that right?
>
> If that is the case, can't we make GnuTLS accept talking to "old"
> servers by default, but if client certificate authentication is
> requested by the application, it will tear down the connection if the
> server doesn't support safe-renegotiation?
>
> My impression is that client certificate authentication is still not
> that widely used by applications.
>
> This way, we'll be 100% secure but still work in the majority of cases.
> People using client certificate authentication will not be able to talk
> with old servers, but that is what they should get.
Unfortunately the credentials might take even different forms such as
the auth user name and password and they might be revealed to the
attacker which was demonstrated in the Twitter attack.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
- safe renegotiation in client side, Nikos Mavrogiannopoulos, 2010/03/15
- Re: safe renegotiation in client side, Simon Josefsson, 2010/03/15
- Re: safe renegotiation in client side, Daniel Kahn Gillmor, 2010/03/15
- Re: safe renegotiation in client side, Simon Josefsson, 2010/03/15
- Re: safe renegotiation in client side, Daniel Kahn Gillmor, 2010/03/15
- Re: safe renegotiation in client side, Simon Josefsson, 2010/03/16
- Re: safe renegotiation in client side, Nikos Mavrogiannopoulos, 2010/03/16
- Re: safe renegotiation in client side, Simon Josefsson, 2010/03/16
Re: safe renegotiation in client side, Tomas Mraz, 2010/03/15
Re: safe renegotiation in client side, Simon Josefsson, 2010/03/15
- Re: safe renegotiation in client side,
Tomas Mraz <=