--001a1140f6825e3427052d8ef843 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 7 March 2016 at 12:32, Martin Thomson wrote: > On 7 March 2016 at 23:02, Hubert Kario wrote: > > well, if some people don't care about their implementation being > > fingerprintable, let them be, but there should but at least a > > recommendation what to do if you want to avoid that. > > I'd be very surprised if this added anything to the fingerprinting > entropy already present in TLS implementations. You can't use this > sort of thing to distinguish one user of NSS from another NSS user. > > =E2=80=8BNo, but you can use this sort of thing in combination to determine= the version a server is running not just the implementation. If there was a recommended alert for a given situation I imagine (perhaps over optimistically) that it would be harder. > BTW, I'm pretty much not willing to volunteer to review the patch that > made NSS less fingerprintable as NSS. I'm pretty sure that involves > replacing NSS with OpenSSL. > =E2=80=8BMaking it hard (or at least harder) to distinguish the two would definitely not involve that. That said, I haven't fingerprinted NSS as a server in anywhere near as many configurations as openssl though this is mainly because I see it used that way less frequently. Cheers Rich. --001a1140f6825e3427052d8ef843 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On 7 March 2016 at 12:32, Martin Thomson <martin.thomson@gmail= .com> wrote:
On 7 March 2016 at 23:02, Hubert Kario <hkario@redhat.com> wrote:
> well, if some people don't care about their implementation being > fingerprintable, let them be, but there should but at least a
> recommendation what to do if you want to avoid that.

I'd be very surprised if this added anything to the fingerprinti= ng
entropy already present in TLS implementations.=C2=A0 You can't use thi= s
sort of thing to distinguish one user of NSS from another NSS user.


=E2=80=8BNo, but you can use this sort of t= hing in combination to determine the version a server is running not just t= he implementation. If there was a recommended alert for a given situation I= imagine (perhaps over optimistically) that it would be harder.

=C2=A0
BTW, I'm pretty much not willing to volunteer to review the patch that<= br> made NSS less fingerprintable as NSS.=C2=A0 I'm pretty sure that involv= es
replacing NSS with OpenSSL.

=E2=80=8BMaking it hard = (or at least harder) to distinguish the two would definitely not involve th= at. That said, I haven't fingerprinted NSS as a server in anywhere near= as many configurations as openssl though this is mainly because I see it u= sed that way less frequently.

Cheers

Rich.


<= div class=3D"gmail_extra">

--001a1140f6825e3427052d8ef843--