8 May
2024
8 May
'24
1:34 a.m.
Turns out tls-unique is *additionally* broken by https://www.mitls.org/pages/attacks/SLOTH
found a few months after the release of RFC7627 that tried to fix it:
If your TLS application relies on the tls-unique
channel binding to prevent credential forwarding, you need to redesign your application.
Our attack on the tls-unique channel binding affects application-level protocols that
rely on this channel binding to prevent credential forwarding attacks. In general, all
uses of tls-unique are suspect, but the following are known to be specifically affected:
* SCRAM is used in SASL and GSSAPI and relies on tls-unique for channel binding. SCRAM is
the default authentication protocol for XMPP.