oss-sec mailing list archives
Re: Re: neuter the poodle
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos () gmail com>
Date: Sat, 18 Oct 2014 09:39:52 +0200
Ok indeed, there is nothing restricting it to browsers. It is just that these were known to be the major users of the insecure negotiation. If any other application is using it too it will be vulnerable too. On 18 October 2014 09:25:06 CEST, mancha <mancha1 () zoho com> wrote:
On Sat, Oct 18, 2014 at 09:01:55AM +0200, Nikos Mavrogiannopoulos wrote:Hi, The attack that you describe below is not an attack on tls negotiation. If you would be using the gnutls api as documented it wouldn't work. It is an attack on the insecure negotiation used by firefox, which as it seems it shares code with thunderbird. The text in my description is accurate, the attack affects mostly browsers,andif you are using the tls protocol negotiation you are safe.Hi. I don't think DKG was suggesting the GnuTLS API is vulnerable to protocol downgrade attacks if used according to guidelines (I know I wasn't). His question relates to your "only browsers" comment, which as my attack against Thunderbird+IMAPS shows, is inaccurate. My second link contains a similar mistake by Red Hat. --mancha
-- Sent fron my mobile. Please excuse my brevity.
Current thread:
- Re: Truly scary SSL 3.0 vuln to be revealed soon:, (continued)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Krassimir Tzvetanov (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Pierre Schweitzer (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Ben Lincoln (0E1C7DBB - OSS) (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 15)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: ishish (Oct 16)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 16)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Daniel Kahn Gillmor (Oct 17)
- neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) mancha (Oct 17)
- Re: neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) Nikos Mavrogiannopoulos (Oct 18)
- Re: Re: neuter the poodle mancha (Oct 18)
- Re: Re: neuter the poodle Nikos Mavrogiannopoulos (Oct 18)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Mark Felder (Oct 17)