oss-sec mailing list archives
Re: Re: neuter the poodle
From: mancha <mancha1 () zoho com>
Date: Sat, 18 Oct 2014 07:25:06 +0000
On Sat, Oct 18, 2014 at 09:01:55AM +0200, Nikos Mavrogiannopoulos wrote:
Hi, The attack that you describe below is not an attack on tls negotiation. If you would be using the gnutls api as documented it wouldn't work. It is an attack on the insecure negotiation used by firefox, which as it seems it shares code with thunderbird. The text in my description is accurate, the attack affects mostly browsers, and if you are using the tls protocol negotiation you are safe.
Hi. I don't think DKG was suggesting the GnuTLS API is vulnerable to protocol downgrade attacks if used according to guidelines (I know I wasn't). His question relates to your "only browsers" comment, which as my attack against Thunderbird+IMAPS shows, is inaccurate. My second link contains a similar mistake by Red Hat. --mancha
Attachment:
_bin
Description:
Current thread:
- Re: Truly scary SSL 3.0 vuln to be revealed soon:, (continued)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: mancha (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Krassimir Tzvetanov (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Pierre Schweitzer (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Ben Lincoln (0E1C7DBB - OSS) (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: ishish (Oct 16)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 16)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Daniel Kahn Gillmor (Oct 17)
- neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) mancha (Oct 17)
- Re: neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) Nikos Mavrogiannopoulos (Oct 18)
- Re: Re: neuter the poodle mancha (Oct 18)
- Re: Re: neuter the poodle Nikos Mavrogiannopoulos (Oct 18)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Mark Felder (Oct 17)