[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] Accepting that other SNI name types will never work.
From: Richard Moore <rich () kde ! org>
Date: 2016-03-08 19:55:58
Message-ID: CAMp7mVtOWAfRLUKeCPVAvwjmWJ7HE4VBCh4RakGwUAO-QW4ezQ () mail ! gmail ! com
[Download RAW message or body]
On 7 March 2016 at 12:32, Martin Thomson <martin.thomson@gmail.com> wrote:
> On 7 March 2016 at 23:02, Hubert Kario <hkario@redhat.com> wrote:
> > well, if some people don't care about their implementation being
> > fingerprintable, let them be, but there should but at least a
> > recommendation what to do if you want to avoid that.
>
> I'd be very surprised if this added anything to the fingerprinting
> entropy already present in TLS implementations. You can't use this
> sort of thing to distinguish one user of NSS from another NSS user.
>
>
No, but you can use this sort of thing in combination to determine the
version a server is running not just the implementation. If there was a
recommended alert for a given situation I imagine (perhaps over
optimistically) that it would be harder.
> BTW, I'm pretty much not willing to volunteer to review the patch that
> made NSS less fingerprintable as NSS. I'm pretty sure that involves
> replacing NSS with OpenSSL.
>
Making it hard (or at least harder) to distinguish the two would
definitely not involve that. That said, I haven't fingerprinted NSS as a
server in anywhere near as many configurations as openssl though this is
mainly because I see it used that way less frequently.
Cheers
Rich.
[Attachment #3 (text/html)]
<div dir="ltr"><div class="gmail_default" \
style="font-family:verdana,sans-serif"><br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On 7 March 2016 at 12:32, Martin Thomson <span dir="ltr"><<a \
href="mailto:martin.thomson@gmail.com" \
target="_blank">martin.thomson@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class="">On 7 March 2016 at 23:02, Hubert Kario <<a \
href="mailto:hkario@redhat.com">hkario@redhat.com</a>> wrote:<br> > well, if \
some people don't care about their implementation being<br> > fingerprintable, \
let them be, but there should but at least a<br> > recommendation what to do if \
you want to avoid that.<br> <br>
</span>I'd be very surprised if this added anything to the fingerprinting<br>
entropy already present in TLS implementations. You can't use this<br>
sort of thing to distinguish one user of NSS from another NSS user.<br>
<br></blockquote><div><br></div><div><div class="gmail_default" \
style="font-family:verdana,sans-serif">No, but you can use this sort of thing in \
combination to determine the version a server is running not just the implementation. \
If there was a recommended alert for a given situation I imagine (perhaps over \
optimistically) that it would be harder.</div><br></div><div> </div><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> BTW, I'm pretty much not willing to volunteer to review \
the patch that<br> made NSS less fingerprintable as NSS. I'm pretty sure that \
involves<br> replacing NSS with OpenSSL.<br>
</blockquote></div><br></div><div class="gmail_extra"><div class="gmail_default" \
style="font-family:verdana,sans-serif">Making it hard (or at least harder) to \
distinguish the two would definitely not involve that. That said, I haven't \
fingerprinted NSS as a server in anywhere near as many configurations as openssl \
though this is mainly because I see it used that way less frequently.</div><div \
class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div \
class="gmail_default" style="font-family:verdana,sans-serif">Cheers</div><div \
class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div \
class="gmail_default" style="font-family:verdana,sans-serif">Rich.</div><div \
class="gmail_default" style="font-family:verdana,sans-serif"><br></div><br></div><div \
class="gmail_extra"><br></div><div class="gmail_extra"><br></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic