It doesn’t necessarily need to be malicious. With how much of software deployment being massive YAML files with tons of environment variables, mistakenly including this won’t be that difficult.
On Sun, Aug 4, 2024 at 07:00 Ilari Liusvaara <ilariliusva...@welho.com> wrote: > On Sat, Aug 03, 2024 at 02:38:29PM -0700, Christian Huitema wrote: > > > > The security considerations of > > https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/ are pretty > > clear, but the discussion pointed out that environment variables can be > > installed without knowledge of most users. More protection is needed. > > Examples are explicit run time options, such as asking the user to set a > > special configuration flag to enable the feature, and compile time > > protections, which would only enable that configuration flag in special > > versions of the application. > > Any attacker that can tamper with environment variables is in position > to do way way worse things than enabling SSLKEYLOG. Possibly even worse > than an attacker capable of replacing the whole application with a > troijan! > > > > > -Ilari > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
