sfs8 pt1

Mark Lomas ukcrypto at chiark.greenend.org.uk
Tue, 23 Sep 2008 15:25:54 +0100 

------=_Part_39511_20423772.1222179954576
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Playing Devil's Advocate:

By configuring the server to accept more than one protocol the administrator
implied that each of those protocols satisfies the relevant security policy.
In such a case the server ought to choose the least* secure protocol
acceptable to the client.

* Unless the more secure protocol has no additional cost whatsoever.

If perfect forward secrecy is a requirement this can be achieved by
disabling the protocols that don't provide it. Consequently, the server's
behaviour is not at fault, although the server administrator may be at fault
for permitting less secure protocols.

Mark


2008/9/23 Charles Lindsey <chl@clerew.man.ac.uk>

> On Mon, 22 Sep 2008 19:31:39 +0100, Dave Howe <DaveHowe@gmx.co.uk> wrote:
>
> I did a bit more testing and paid more attention. I took a look at
>> exactly what was happening) and it looks like FF (checked 2.x and 3.x)
>> works fine, but IE (any version from 6 up to 8b2) doesn't.
>>
>> It also appears to be a feature of the *browser*'s preferred list,
>> rather than the server.
>>
>>
>  from this list, apache selects the third (I am assuming the first two
>> aren't supported by apache) - 0x0039
>>
>> so my guess is - at least in this instance, the server starts at the top
>> of the list presented by the client, and takes the first one that it
>> encounters that is on its supported list. In this case, that is a
>> non-DHE suite for IE, but a DHE one for firefox - hence the difference
>> in captures.
>>
>
> Well, in that case, I would regard it as the server's fault, since it ought
> to consider all of the offerings and choose the most secure, according to
> some internal ranking which it should have.
>
> --
>
> Charles H. Lindsey ---------At Home, doing my own thing------------------------
> Tel: +44 161 436 6131                         Web:
> http://www.cs.man.ac.uk/~chl
> Email: chl@clerew.man.ac.uk
>       Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
>
> PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
>
>

------=_Part_39511_20423772.1222179954576
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<div dir="ltr"><div>Playing Devil&#39;s Advocate:</div>
<div>&nbsp;</div>
<div>By configuring the server to accept more than one protocol the administrator implied that each of those protocols satisfies the relevant security policy. In such a case the server ought to choose the least* secure protocol acceptable to the client.</div>

<div>&nbsp;</div>
<div>* Unless the more secure protocol has no additional cost whatsoever.</div>
<div>&nbsp;</div>
<div>If perfect forward secrecy is a requirement this can be achieved by disabling the protocols that don&#39;t provide it. Consequently, the server&#39;s behaviour is not at fault, although the server administrator may be at fault for permitting less secure protocols.</div>

<div>&nbsp;</div>
<div>Mark</div>
<div><br>&nbsp;</div>
<div class="gmail_quote">2008/9/23 Charles Lindsey <span dir="ltr">&lt;<a href="mailto:chl@clerew.man.ac.uk">chl@clerew.man.ac.uk</a>&gt;</span><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="Ih2E3d">On Mon, 22 Sep 2008 19:31:39 +0100, Dave Howe &lt;<a href="mailto:DaveHowe@gmx.co.uk" target="_blank">DaveHowe@gmx.co.uk</a>&gt; wrote:<br><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I did a bit more testing and paid more attention. I took a look at<br>exactly what was happening) and it looks like FF (checked 2.x and 3.x)<br>
works fine, but IE (any version from 6 up to 8b2) doesn&#39;t.<br><br>It also appears to be a feature of the *browser*&#39;s preferred list,<br>rather than the server.<br><br></blockquote><br></div>
<div class="Ih2E3d">
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">from this list, apache selects the third (I am assuming the first two<br>aren&#39;t supported by apache) - 0x0039<br>
<br>so my guess is - at least in this instance, the server starts at the top<br>of the list presented by the client, and takes the first one that it<br>encounters that is on its supported list. In this case, that is a<br>
non-DHE suite for IE, but a DHE one for firefox - hence the difference<br>in captures.<br></blockquote><br></div>Well, in that case, I would regard it as the server&#39;s fault, since it ought to consider all of the offerings and choose the most secure, according to some internal ranking which it should have.<br>
<font color="#888888"><br>-- <br>Charles&nbsp;H.&nbsp;Lindsey&nbsp;---------At&nbsp;Home,&nbsp;doing&nbsp;my&nbsp;own&nbsp;thing------------------------<br>Tel:&nbsp;+44&nbsp;161&nbsp;436&nbsp;6131&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&nbsp;Web:&nbsp;<a href="http://www.cs.man.ac.uk/~chl" target="_blank">http://www.cs.man.ac.uk/~chl</a><br>
Email:&nbsp;<a href="mailto:chl@clerew.man.ac.uk" target="_blank">chl@clerew.man.ac.uk</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Snail:&nbsp;5&nbsp;Clerewood&nbsp;Ave,&nbsp;CHEADLE,&nbsp;SK8&nbsp;3JU,&nbsp;U.K.<br>PGP:&nbsp;2C15F1A9&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Fingerprint:&nbsp;73&nbsp;6D&nbsp;C2&nbsp;51&nbsp;93&nbsp;A0&nbsp;01&nbsp;E7&nbsp;65&nbsp;E8&nbsp;64&nbsp;7E&nbsp;14&nbsp;A4&nbsp;AB&nbsp;A5<br>
<br></font></blockquote></div><br></div>

------=_Part_39511_20423772.1222179954576--