[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Apple goto fail - lessons that should be learned
From: "David A. Wheeler" <dwheeler () dwheeler ! com>
Date: 2014-11-26 22:12:09
Message-ID: E1Xtkoj-0006C0-49 () rmm6prod02 ! runbox ! com
[Download RAW message or body]
On Wed, 26 Nov 2014 21:01:09 +0100, Hanno Böck <hanno@hboeck.de> wrote:
> I've written something similar on POODLE (and BERserk), not sure if I
> posted this here before:
> https://blog.hboeck.de/archives/858-Dancing-protocols,-POODLEs-and-other-tales-from-TLS.html
>
> Not surprisingly I come to somewhat similar conclusions (protocol
> downgrade protection, encrypt-then-mac etc.)
Excellent! I've added a citation from my POODLE paper to your post.
> But the most important conclusion from POODLE is imho: Be very careful
> with implementing workarounds for broken hard/software - and don't do
> them if they compromise security.
Agreed. It's going to be hard to do that in practice, I fear.
Thankfully, it looks like SSLv3 will disappear, reducing the pressure to do that
for TLS. That will help.
--- David A. Wheeler
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic