[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] Accepting that other SNI name types will never work.
From:       Hubert Kario <hkario () redhat ! com>
Date:       2016-03-07 12:41:44
Message-ID: 3694409.ykmGAtXXCk () pintsize ! usersys ! redhat ! com
[Download RAW message or body]


On Monday 07 March 2016 23:32:55 Martin Thomson wrote:
> On 7 March 2016 at 23:02, Hubert Kario <hkario@redhat.com> wrote:
> > well, if some people don't care about their implementation being
> > fingerprintable, let them be, but there should but at least a
> > recommendation what to do if you want to avoid that.
> 
> I'd be very surprised if this added anything to the fingerprinting
> entropy already present in TLS implementations.  You can't use this
> sort of thing to distinguish one user of NSS from another NSS user.

correct, but that's not what I meant by fingerprinting

> BTW, I'm pretty much not willing to volunteer to review the patch that
> made NSS less fingerprintable as NSS.  I'm pretty sure that involves
> replacing NSS with OpenSSL.

the current fingerprinting depends on alert descriptions sent for 
different invalid messages

in most cases it's just a question of changing a decode_error to 
illegal_parameter or similar simple changes

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]