[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: Re: [TLS] Accepting that other SNI name types will never work.
From: Hubert Kario <hkario () redhat ! com>
Date: 2016-03-07 12:41:44
Message-ID: 3694409.ykmGAtXXCk () pintsize ! usersys ! redhat ! com
[Download RAW message or body]
On Monday 07 March 2016 23:32:55 Martin Thomson wrote:
> On 7 March 2016 at 23:02, Hubert Kario <hkario@redhat.com> wrote:
> > well, if some people don't care about their implementation being
> > fingerprintable, let them be, but there should but at least a
> > recommendation what to do if you want to avoid that.
>
> I'd be very surprised if this added anything to the fingerprinting
> entropy already present in TLS implementations. You can't use this
> sort of thing to distinguish one user of NSS from another NSS user.
correct, but that's not what I meant by fingerprinting
> BTW, I'm pretty much not willing to volunteer to review the patch that
> made NSS less fingerprintable as NSS. I'm pretty sure that involves
> replacing NSS with OpenSSL.
the current fingerprinting depends on alert descriptions sent for
different invalid messages
in most cases it's just a question of changing a decode_error to
illegal_parameter or similar simple changes
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic