Date: Sat, 18 Oct 2014 07:25:06 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: Nikos Mavrogiannopoulos <nmav@...tls.org>, dkg@...thhorseman.net Subject: Re: Re: neuter the poodle On Sat, Oct 18, 2014 at 09:01:55AM +0200, Nikos Mavrogiannopoulos wrote: > Hi, The attack that you describe below is not an attack on tls > negotiation. If you would be using the gnutls api as documented it > wouldn't work. It is an attack on the insecure negotiation used by > firefox, which as it seems it shares code with thunderbird. The text > in my description is accurate, the attack affects mostly browsers, and > if you are using the tls protocol negotiation you are safe. Hi. I don't think DKG was suggesting the GnuTLS API is vulnerable to protocol downgrade attacks if used according to guidelines (I know I wasn't). His question relates to your "only browsers" comment, which as my attack against Thunderbird+IMAPS shows, is inaccurate. My second link contains a similar mistake by Red Hat. --mancha [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ