oss-sec mailing list archives
Re: Apple goto fail - lessons that should be learned
From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Wed, 26 Nov 2014 17:12:09 -0500 (EST)
On Wed, 26 Nov 2014 21:01:09 +0100, Hanno Böck <hanno () hboeck de> wrote:
I've written something similar on POODLE (and BERserk), not sure if I posted this here before: https://blog.hboeck.de/archives/858-Dancing-protocols,-POODLEs-and-other-tales-from-TLS.html Not surprisingly I come to somewhat similar conclusions (protocol downgrade protection, encrypt-then-mac etc.)
Excellent! I've added a citation from my POODLE paper to your post.
But the most important conclusion from POODLE is imho: Be very careful with implementing workarounds for broken hard/software - and don't do them if they compromise security.
Agreed. It's going to be hard to do that in practice, I fear. Thankfully, it looks like SSLv3 will disappear, reducing the pressure to do that for TLS. That will help. --- David A. Wheeler
Current thread:
- Apple goto fail - lessons that should be learned David A. Wheeler (Nov 26)
- Re: Apple goto fail - lessons that should be learned Hanno Böck (Nov 26)
- Re: Apple goto fail - lessons that should be learned David A. Wheeler (Nov 26)
- Re: Apple goto fail - lessons that should be learned Hanno Böck (Nov 26)