> On Oct 28, 2017, at 4:32 PM, Hanno Böck <ha...@hboeck.de> wrote:
>
> That's not how Bleichenbacher attacks work... (which you should know as
> a co-author of the drown paper.)
You can safely drop the word "should"...
> As it has been pointed out multiple
> times this attack works cross-protocol and cross-server, so the mere
> existence of a vulnerable TLS RSA implementaiton with the same cert is
> a risk. You don't need any downgrade attack for that.
Yes, in the DROWN case the attack was a cross-protocol attack that
leveraged servers that exposed a certificate used with SSLv3+ (on
the same or some other server) via SSLv2.
With SSLv2 out of the picture, which attacks from RFC7457 do see
as the motivation to set a floor higher than the TLS 1.2 MTI cipher
[ TLS_RSA_WITH_AES_128_CBC_SHA ] in SMTP? Sure, clients and servers
will typically negotiate other ciphers (PFS and AESGCM are quite
common, and perhaps more secure, barring GCM pitfalls and ECDHE
being broken by quantum computers any day now...).
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
