Re: TLS implementation test

[Julien <prospi () gmail com>]

Hi ,

> Also, does your implementation do perform correct client/server
> certificate validation?

Yes, it's implemented...

> If someone adds or removes encrypted
> data, or modifies it in transit, will your implementation detect it?

I don't don't know for the moment. By reading the design docs I think
it have to detect this kind of "attack".

Thanks all

2006/10/21, Tim <tim-pentest () sentinelchicken org>:
> > I have to test TLS implementation on our product. Ths goal is not to
> > discover a threat in TLS but to find threat in our implementation.
> > In my test I'll do :
> > - MitM
> > - Replay attack (I think it will not be possible because of TLS timestamps )
> > - Dos
> > - Sniffing (to check that all communications are encrypted)
> >
> > What other tests could be done ?
>
> Well, there's always modification.  If someone adds or removes encrypted
> data, or modifies it in transit, will your implementation detect it?
> This is particularly important when using stream cipher based
> ciphersuites.
>
> Also, does your implementation do perform correct client/server
> certificate validation?  It's a pretty complex process, and other major
> implementations have had bugs in the past in this area.
>
> good luck,
> tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------