Date: Tue, 14 Oct 2014 09:21:38 +0200 From: Hanno BÃ¶ck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required Am Tue, 14 Oct 2014 12:39:48 +1100 schrieb Michael Samuel <mik@...net.net>: > On 14 October 2014 00:09, Hanno Böck <hanno@...eck.de> wrote: > > I think this deserves a CVE: > > http://mail.jabber.org/pipermail/operators/2014-October/002438.html > > If a client is willing to do that, then an attacker can simply force > downgrade the client and connect to the server using TLS. (Assuming > client certificates aren't in use) Basically these things often work under a more or less "trust-on-first-use"-assumption. E.g. the client will check the server config on the first connection and use that settings in the future. So there is a scenario where this leads to unintended unencrypted connections. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ