Re: TLS/SSL revisited slightly...

[Paul Robertson <proberts () patriot net>]

On 30 Jul 2002, Eric Rescorla wrote:
> That said:
> Bugs 1 and 3 are server vulnerabilities, not client vulnerabilities
> since they apply when the client sends bogus data to the server to get
> it to overflow. (the client master key and client key exchange
> are generated by the client and processed by the server.)

Yep, I read it too quickly.

> Bug 2 is indeed a problem for clients.
>
> But 4 is probably a problem for both, depending on the exact
> circumstances in which integers are being parsed.

If it's a storage/conversion problem though, it'll be rare as a client 
issue if it needs a 64-bit system.

> None of this is really that relevant to browsers, since
> neither IE nor Mozilla uses OpenSSL, but instead use their
> own private things. IE uses SChannel/CAPI and Mozilla uses NSS.

I use both Links and Lynx, and they indeed use OpenSSL.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards