Eric, (this crossed with v2) On 7 Apr 2016, at 16:35, Eric Blake <eblake@...696...> wrote: > On 04/07/2016 06:36 AM, Alex Bligh wrote: >> >> On 7 Apr 2016, at 13:13, Alex Bligh <alex@...872...> wrote: >> >>> I guess it's worth documenting >>> this, though I thought it was obvious. >> >> The next version will have this section: >> >> ### Downgrade attacks >> >> A danger inherent in any scheme relying on the negotiation > > too much space Yeah the paste between emacs and OS-X Mail probably has tabs in. I checked version 2 with hexdump -C and that line is OK. >> * The MitM hijacks a session and impersonates the client >> (possibly by proxying it) claiming not to support TLS. In >> this manner the server is confused into oeprating in a plain-text > > s/oeprating/operating/ thx >> manner with the MitM (with the session being possibly >> proxied to the server with the method above). > > s/server/client/ thx >> >> With regard to the first, any client that does not wish >> to be subject to potential downgrade attack SHOULD ensure >> that if a TLS endpoint is specified by the client, it >> ensures that TLS is negotiated prior to sending or >> requesting sensitive data. To recap, yhe client MAY send > > s/yhe/the/ thx >> `NBD_OPT_STARTTLS` at any point during option haggling, >> and MAY disconnect the session if `NBD_REP_ACK` is not >> provided. > > Probably want to add: "but the client SHOULD strongly consider sending > `NBD_OPT_STARTTLS` as its first option" That's now elsewhere, but I've expanded that anyway in v2. >> With regard to the second, any server that does not wish >> to be subject to a potential downgrade attack SHOULD either >> used FORCEDTLS mode, or should force TLS on those exports >> it is concerned about using SELECTIVE mode and TLS-only >> exports. It is not possible to avoid downgrade attacks >> on exports which are may be served either via TLS or >> in plain text. > > Probably want to add: "OPTIONALTLS mode SHOULD NOT be used if there is a > potential for man-in-the-middle attacks" I've said "where man-in-the-middle attacks are a concern". These will all be in v3. -- Alex Bligh
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail