Firewall Wizards mailing list archives
Re: TLS/SSL revisited slightly...
From: Paul Robertson <proberts () patriot net>
Date: Tue, 30 Jul 2002 12:37:39 -0400 (EDT)
On 30 Jul 2002, Eric Rescorla wrote:
That said: Bugs 1 and 3 are server vulnerabilities, not client vulnerabilities since they apply when the client sends bogus data to the server to get it to overflow. (the client master key and client key exchange are generated by the client and processed by the server.)
Yep, I read it too quickly.
Bug 2 is indeed a problem for clients. But 4 is probably a problem for both, depending on the exact circumstances in which integers are being parsed.
If it's a storage/conversion problem though, it'll be rare as a client issue if it needs a 64-bit system.
None of this is really that relevant to browsers, since neither IE nor Mozilla uses OpenSSL, but instead use their own private things. IE uses SChannel/CAPI and Mozilla uses NSS.
I use both Links and Lynx, and they indeed use OpenSSL. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- TLS/SSL revisited slightly... Paul Robertson (Jul 30)
- Re: TLS/SSL revisited slightly... Eric Rescorla (Jul 30)
- Re: TLS/SSL revisited slightly... Paul Robertson (Jul 30)
- Re: TLS/SSL revisited slightly... Eric Rescorla (Jul 30)