On 3/31/10 5:26 AM, Eddy Nigg wrote: > security.ssl.require_safe_negotiation > > I believe this to be a mistake for various reasons, but first and > foremost because an attack on a server without compromise of the client > data as well, is basically useless. When a attacker induces > renegotiation at the server, the attacker must have client credentials > in order to act as if he were the original client. Without those > credentials, the attacker would be treated as any other unauthenticated > source.
The client supplies the credentials. Not every server or application is equally vulnerable, not all SSL connections use the HTTP protocol. Sure, there may be specific attacks due to this flaw that could be prevented in other ways (a typical anti-CSRF nonce in a web form, say) but that is not a general defense. SSL is a building-block and is supposed to guarantee an authenticated, encrypted, tamper-proof connection to the application layers above. It was broken and turns out to allow the injection of prefix content in some situations. Whether that can lead to compromise depends on what was built above the SSL layer. > When a client (as in our case Firefox) implements RFC 5746, the client > can't be compromised and no data is leaked from the client. You don't know that! Depends on what the client is doing and what the server is. What if the attack is to make the client connect to an open redirector on the target site? The client could leak all kinds of data by sending it to the wrong site. > SSLv2 was disabled in Firefox only a short while ago, Three and a half years ago, October 2006 (longer if you count six months of 2.0 pre-release builds). But the ability for users to choose to disable it was available for years before that. > I expect that it will take years upon years until 90% of all SSL enabled > servers will support RFC 5746, not speaking about 99% or higher. Then we would be foolish to toggle the default on that pref any time soon. > Refusing to speak to servers that don't support RFC 5746 > [... will force] the user to accept unsafe renegotiation Why? Those are two separate prefs. The user can easily speak to servers without rfc 5746 and still refuse unsafe renegotiation. But you know this because "Minefield" broke client-auth on your site with precisely these settings. What's your real point? > It also must be noted that 99% or more of all SSL enabled web sites will > never need renegotiation to work. A server which disabled renegotiation > is at least as secure as a server supporting the new extension. 99.9% of bank customers will never have their bank go out of business. Why should they bother to check whether their bank is federally insured? -Dan Veditz -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
