Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Oct 2014 07:25:06 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: Nikos Mavrogiannopoulos <nmav@...tls.org>, dkg@...thhorseman.net
Subject: Re: Re: neuter the poodle

On Sat, Oct 18, 2014 at 09:01:55AM +0200, Nikos Mavrogiannopoulos wrote:
> Hi, The attack that you describe below is not an attack on tls
> negotiation. If you would be using the gnutls api as documented it
> wouldn't work. It is an attack on the insecure negotiation used by
> firefox, which as it seems it shares code with thunderbird. The text
> in my description is accurate, the attack affects mostly browsers, and
> if you are using the tls protocol negotiation you are safe.

Hi.

I don't think DKG was suggesting the GnuTLS API is vulnerable to
protocol downgrade attacks if used according to guidelines (I know I
wasn't).

His question relates to your "only browsers" comment, which as my attack
against Thunderbird+IMAPS shows, is inaccurate. My second link contains
a similar mistake by Red Hat.  

--mancha

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ