Hubert Kario <hka...@redhat.com> writes: > On Thursday, 28 July 2016 06:12:48 CEST Watson Ladd wrote: > > On Thu, Jul 28, 2016 at 3:28 AM, Hubert Kario <hka...@redhat.com> wrote: > > > On Wednesday, 27 July 2016 09:50:18 CEST Wan-Teh Chang wrote: > > >> Another source of interop failures is the firewall devices that do > > >> anomaly detection. > > > > > > how about adding a section that explicitly says what they are allowed to > > > do, and what they should not do? > > > > This is what parsing is for. > > yes, and bugs in parsing may very well be exploitable > > > > in other words, how they can still provide added value without breaking > > > TLS in the future > > > > Maybe they can't, and you shouldn't buy those products. > > pragmatist would say that double checking is defence in depth > > and whatever we think, doesn't change the fact that people do make them > because people do buy them, so at least we can tell them how they can play > nice
I don't think 'playing nice' is the point of these devices; the concept is that unusual is bad, and so should be blocked. They don't just block new or unknown features, but sometimes also known features being used in unusual combinations. I've seen these devices raise a security alert because of a ciphersuite list which contained only ciphersuites used by browsers, but not in the expected combination/order---at least, that's what I think it was. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
