On Tue, Aug 7, 2018 at 11:08:12PM +0300, Heikki Linnakangas wrote: > >I know this is an academic question now, but I am not sure this is true. > >A man-in-the-middle attacker could say they don't support channel > >binding to the real client and real server and pretend to be the real > >server. What would work is to hash the secret in with the supported > >channel binding list. This is how TLS works --- all previous messages > >are combined with the secret into a transmitted hash to prevent a MITM > >from changing it. > > Yeah, that is what I meant. Currently, when client chooses to not use > channel binding, it the sends a single flag, y/n, to indicate whether it > thinks the server supports channel binding or not. That flag is included in > the hashes used in the authentication, so if a MITM tries to change it, the > authentication will fail. If instead of a single flag, it included a list of > channel binding types supported by the server, that would solve the problem > with supporting multiple channel binding types.
Yes, agreed. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
