On 7 March 2016 at 12:32, Martin Thomson <martin.thom...@gmail.com> wrote:
> On 7 March 2016 at 23:02, Hubert Kario <hka...@redhat.com> wrote: > > well, if some people don't care about their implementation being > > fingerprintable, let them be, but there should but at least a > > recommendation what to do if you want to avoid that. > > I'd be very surprised if this added anything to the fingerprinting > entropy already present in TLS implementations. You can't use this > sort of thing to distinguish one user of NSS from another NSS user. > > No, but you can use this sort of thing in combination to determine the version a server is running not just the implementation. If there was a recommended alert for a given situation I imagine (perhaps over optimistically) that it would be harder. > BTW, I'm pretty much not willing to volunteer to review the patch that > made NSS less fingerprintable as NSS. I'm pretty sure that involves > replacing NSS with OpenSSL. > Making it hard (or at least harder) to distinguish the two would definitely not involve that. That said, I haven't fingerprinted NSS as a server in anywhere near as many configurations as openssl though this is mainly because I see it used that way less frequently. Cheers Rich.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
