On Mon, Jan 11, 2016 at 3:09 PM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> The vulnerabilities shown in the SLOTH paper were based on the fact that > implementations still allow MD5 for authentication/integrity protection, > even > if (for example) it's explicitly disabled in the config. So the problem > wasn't a fault in the protocol, it's buggy implementations (as it was for > ones > that allowed 512-bit keys, non-prime primes, and so on). Throwing out TLS > 1.1 > based on this seems rather premature. > My understanding is TLS 1.2 specifically was amended to allow MD5 signatures even though this was not the case in previous TLS versions, or at least that was the claim of the miTLS presenters on SLOTH at RealWorldCrypto 2016. If this is the case, this seems like a big regression in TLS 1.2. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
