Date: Wed, 11 Aug 2021 08:16:34 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: STARTTLS vulnerabilities Hi, On Tue, 10 Aug 2021 15:41:56 +0200 Guido Berhoerster <guido+openwall.com@...hoerster.name> wrote: > have you or are you planning to look into XMPP client/server > implementations as well? The use of STARTTLS for both c2s and s2s > connections is still prevalent both in terms of implementation > support and actual practice and could potentially suffer form the > same issues (command injection or downgrade attacks). We have not looked much into other protocols, and given how much time we've already spent on the topic I think it is unlikely that we will do this. Of course it's a very obvious idea for further research to look if one finds similar vulnerabilities to the ones we found in other protocols. So I'd really like to encourage other people to look for this. FWIW there are a lot of protocols with a STARTTLS mechanism, here's the list of supported protocols by OpenSSL: smtp pop3 imap ftp xmpp xmpp-server telnet irc mysql postgres lmtp nntp sieve ldap -- Hanno Böck https://hboeck.de/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.