[145082] in cryptography@c2.net mail archive
Re: TLS break
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Nov 17 08:26:59 2009
In-Reply-To: <4B016204.9020.1ACECBFA@bernie.fantasyfarm.com>
Date: Mon, 16 Nov 2009 19:09:38 -0800
From: Ben Laurie <benl@google.com>
To: Bernie Cosell <bernie@fantasyfarm.com>
Cc: cryptography@metzdowd.com
On Mon, Nov 16, 2009 at 11:30 AM, Bernie Cosell <bernie@fantasyfarm.com> wr=
ote:
> As I understand it, this is only really a vulnerability in situations
> where a command to do something *precedes* the authentication to enable
> the command. =A0The obvious place where this happens, of course, is with
> HTTPS where the command [GET or POST] comes first and the authentication
> [be it a cookie or form vbls] comes later.
This last part is not really accurate - piggybacking the evil command
onto authentication that is later presented is certainly one possible
attack, but there are others, such as the Twitter POST attack and the
SMTP attack outlined by Wietse Venema (which doesn't work because of
implementation details, but _could_ work with a different
implementation).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
