On 21/10/2014 16:05, Florian Weimer wrote:
* Jakob Bohm:
The purpose of the option is to make totally broken applications a
bit less secure (when they happen to certain servers). From my
I meant “a bit less insecure”, as Bodo pointed out.
OK, point already taken.
point of view, there is only one really good reason to have this
client-side option—so that you can test the server-side
support. That's why I implemented it for OpenJDK as well.
Application should *never* use it because it does not really solve
anything. If you have fallback code, your application is still
insecure.
No the purpose is to make them more secure by preventing their
(rarely needed) fallback code from being abused by MITM attackers,
but the extra protection only works if the server contains the
corresponding patch. Basically, if a (patched) server sees that
The key word here is “patched”, a broken-server-supporting application
gets only protection for well-maintained servers—after the Powers That
Be forced server operators to add a patch to better support such
broken-server-supporting applications. No one will be forced to fix
their insecure, version-intolerant servers, and it is unlikely that
those will ever implement TLS_FALLBACK_SCSV. It's a bit like telling
people to wear gas mask, instead of taking measures against air
polution.
I wouldn't be so harsh. I would say it is like telling people who
still carry cash howto tell the difference between a legitimate old
cash-only business and a fraudulentcheck-out clerk trying to cheat
them into paying cash that the (credit card accepting)modern shop
will never see.
With the combination of the server and client patches, the broken-
server-supporting code willno longer constitute a risk except when
actually talking to broken servers run by the(certificate verified)
legitimate owners of the requested domain name.
That is a huge reduction of the associated risk, soon the fallback
code will no longer endanger a visit to the (sort of) well run places
that people trust the most.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
