Standard file formats seem fine, non? On Thu, 20 Feb 2025, 21:20 _ _, <robainloy...@gmail.com> wrote:
> Hey, > > I disagree with this because if an attacker could write to the environment > variable used by the program or is able to side-load a library and capture > outbound packets, it is very likely that they already have privileged > access to the machine. > > However, I acknowledge that allowing an attacker to easily access these > functions is not desirable. > > In this specific case, environment variables are secure enough. > > Romain > > > Le jeu. 20 févr. 2025, 10:15, Bellebaum, Thomas < > thomas.belleb...@aisec.fraunhofer.de> a écrit : > >> Hello, >> >> I have just become aware of this draft and I believe there might be a >> good cautionary addition I would like to propose: >> >> Specifically, I am worried that with further encouragement to standardize >> this format, it will become a convenient way to surveil unsuspecting end >> users. All this requires is "some" access to the system, for many >> implementations this includes setting an environment variable. What an >> attacker gains is then something more reliable, machine-readable (and in >> many cases useful) than a simple keylogger. >> >> The problem here (in my opinion) is the word "unsuspecting". I would like >> to see an addition to the draft along the following lines: >> >> > A TLS application interacting with an end-user (e.g. a browser) MUST >> clearly communicate any requests to log TLS secrets to the user and MUST >> NOT indicate a secure connection. >> >> Otherwise, this draft looks fine to me. >> Thanks for your efforts, >> >> Thomas >> >> -- >> >> ``` >> M.Sc. Thomas Bellebaum >> Applied Privacy Technologies >> Fraunhofer Institute for Applied and Integrated Security AISEC >> >> Lichtenbergstraße 11, 85748 Garching >> <https://www.google.com/maps/search/Lichtenbergstra%C3%9Fe+11,+85748+Garching?entry=gmail&source=g> >> near Munich (Germany) >> Tel. +49 89 32299 86 1039 >> thomas.belleb...@aisec.fraunhofer.de >> https://www.aisec.fraunhofer.de >> >> ``` >> _______________________________________________ >> TLS mailing list -- tls@ietf.org >> To unsubscribe send an email to tls-le...@ietf.org >> > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
