Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Oct 2014 07:25:06 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: Nikos Mavrogiannopoulos <nmav@...tls.org>, dkg@...thhorseman.net
Subject: Re: Re: neuter the poodle

On Sat, Oct 18, 2014 at 09:01:55AM +0200, Nikos Mavrogiannopoulos wrote:
> Hi, The attack that you describe below is not an attack on tls
> negotiation. If you would be using the gnutls api as documented it
> wouldn't work. It is an attack on the insecure negotiation used by
> firefox, which as it seems it shares code with thunderbird. The text
> in my description is accurate, the attack affects mostly browsers, and
> if you are using the tls protocol negotiation you are safe.

Hi.

I don't think DKG was suggesting the GnuTLS API is vulnerable to
protocol downgrade attacks if used according to guidelines (I know I
wasn't).

His question relates to your "only browsers" comment, which as my attack
against Thunderbird+IMAPS shows, is inaccurate. My second link contains
a similar mistake by Red Hat.  

--mancha

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.