[Security] TLS Triple Handshakes

Dave Cridland dave at cridland.net
Mon Mar 3 22:35:54 UTC 2014


On 3 March 2014 21:47, Waqas Hussain <waqas20 at gmail.com> wrote:

> On Mon, Mar 3, 2014 at 3:46 PM, Fedor Brunner <fedor.brunner at azet.sk>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> >
> > Hi all,
> > this attack on TLS security may be interesting for XMPP
> > https://www.imperialviolet.org/2014/03/03/triplehandshake.html
> > https://secure-resumption.com/#further
> >
> > The attacker could modify tls-unique channel binding and affect
> > SCRAM-SHA-1-PLUS authentication method.
> >
>


Yes, it's interesting, at a first glance.

It would, however, only affect clients that do not verify certificates
properly (at least at the point of sending SASL stuff).

You also need clients and servers that are perfectly happy to see
renegotiation, and it's not vastly obvious why XMPP *needs* any
renegotiation.

So something to be aware of, rather than panic over.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/security/attachments/20140303/70a44ed0/attachment.html>


More information about the Security mailing list