[Top] [All Lists]

Re: STARTTLS & EHLO: Errata text?

2009-01-30 12:03:39

Hector Santos <hsantos(_at_)santronics(_dot_)com> writes:
Russ Allbery wrote:

It's not supposed to trust what the server said before STARTTLS, since
everything sent before STARTTLS may have been provided by a
man-in-the-middle attacker.  It's stronger than just not assuming that
the same extensions apply.  Even if extensions happen to still be
available, trusting the extension return before STARTTLS can permit an
attacker to launch a down-negotiation attack, for example.

Maybe I don't see it.  If the client is being fooled, one would think
that it would be to relax the client, not push it into a more secured

Right, that's what a down-negotiation attack is.  The attacker would, for
instance, advertise that the server supported authentication but only list
weak authentication protocols.  If the client then proceeded on the basis
of the extension list from the attacker, it would use a weaker (and
possibly vulnerable) authentication protocol instead of a stronger one
that the server actually supports.

Russ Allbery (rra(_at_)stanford(_dot_)edu)