Re: Gopher TLS support in curl
> > Geomyidae uses a simple probing, which can be easily
> > implemented in
> > every server.
> >
> > if (recv(sock, &byte0, 1, MSG_PEEK) < )
> > return 1;
> >
> > if (byte0 == 0x16) {
> > do_tls();
> > }
>
> That is a FANTASTIC trick! Actually it could be expanded to
> simply do plaintext for a non-TLS-capable client. I personally
> would prefer that, if only because I still want to use UMN gopher
> client sometimes. There is something about its lovely 90s feel...
I still don't understand how this can be protected against downgrade
attacks. A malicious MITM could simply ensure that the TLS trigger byte
was never communicated (race the packet, etc.) and both client and server
would then assume the connection isn't TLS.
Not a high risk, but if the end goal is security ...
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser@floodgap.com
-- The only thing to fear is fearlessness -- R. E. M. -------------------------
Reply to: