[Security] TLS Triple Handshakes

Waqas Hussain waqas20 at gmail.com
Mon Mar 3 21:47:09 UTC 2014


On Mon, Mar 3, 2014 at 3:46 PM, Fedor Brunner <fedor.brunner at azet.sk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> Hi all,
> this attack on TLS security may be interesting for XMPP
> https://www.imperialviolet.org/2014/03/03/triplehandshake.html
> https://secure-resumption.com/#further
>
> The attacker could modify tls-unique channel binding and affect
> SCRAM-SHA-1-PLUS authentication method.
>
> Fedor
>
> -----BEGIN PGP SIGNATURE-----
>
> iQJ8BAEBCgBmBQJTFOo9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4QkVFQ0NBRDcyNzU1RTk2RTQwMzlEQjc2
> RTE3NDA5NTQwNTY2M0FEAAoJEG4XQJVAVmOtGjgQAKSYCmaeuv+QGR7jmeVEm4qK
> h+O8/N8RF6DdupC+Irr4vwRXO+lN60o0iZQb5dVSr24xGtKoqsL8ayj+LKWV9a/K
> jL0gTDDJCCPbwBNk83+sTLsKYp4W2a7a7o/VTWLJH/GJ/Czl6+QYENy8RM5WmkaO
> 86g9Jw4XIFj+ed8o6ak7TaPsqfqngxAWzrm1XkJKmO0bqSyqRj9WG3mmKhqwPmHN
> 5wt7m1MioGF7qGwJouAswPsTkKFUC69CC3mKePsbM2FmYIhbwIDFTbbiedbct8bg
> hEvvQ6E7WTPg2vP06LLV/hLmTADUgATZ2FK15GkA+ntMwXYkkhBX52TsPJM5Kt5v
> Jhe49move6FHK8Qt8aNKPDuGor2pnqKUwzUZWc2Wdsz474OsjwG6XUYf39lyjqUr
> EVIDVlHDPO3hWGG+jg2ipYpdcvYlTLyf6thAiosfz6glNoOEMn7I+IJBeEcnRZ7r
> LshZVRS++JwkloCI3cxGfBjd+6hsBXlKJarHHbeJGzGhubp0h1FYwkCIn/tjKPXD
> Lk/EHeBOiDmO0zYCfop75tJ6l9+rHZG0CfOAGWWNHoRjGMYY1V07dDMi7X8LT/iO
> OeWjKfW/PQ+2/ZhgnnuNOk0taYmmooG/CqjAdJ16jHcVegPVusfr2mW+ZbaL5jOY
> vqe4zuphB1952pbGxlaa
> =ccBM
> -----END PGP SIGNATURE-----

Responding to this message, because it may have been marked as spam
for a lot of folks.

Mailman as configured for our mailings lists breaks DKIM signatures,
and many folks have run into this. Several messages end up in spam
every month. Gmail's behavior in this has been a bit random.

This is trivially fixable by setting STRIP_DKIM_SIGNATURE = Yes in the
Mailman config, or with a number of more advanced configurations, as
documented here: http://wiki.list.org/display/DEV/DKIM

--
Waqas Hussain


More information about the Security mailing list