sfs8 pt1
John Lamb
ukcrypto at chiark.greenend.org.uk
Wed, 24 Sep 2008 09:55:57 +0100
If this negotiation happens before the encryption starts, it could be
influenced by a MitM attack - an attacker could modify the client's list
of accepted protocols en-route to the server to remove the ones the
attacker can't decrypt later.
So as Mark says, if those protocols aren't considered secure enough,
they shouldn't be on the server's list!
On Tue, Sep 23, 2008 at 03:25:54PM +0100, Mark Lomas wrote:
> Playing Devil's Advocate:
>
> By configuring the server to accept more than one protocol the administrator
> implied that each of those protocols satisfies the relevant security policy.
> In such a case the server ought to choose the least* secure protocol
> acceptable to the client.
>
> * Unless the more secure protocol has no additional cost whatsoever.
>
> If perfect forward secrecy is a requirement this can be achieved by
> disabling the protocols that don't provide it. Consequently, the server's
> behaviour is not at fault, although the server administrator may be at fault
> for permitting less secure protocols.
>
> Mark
>
>