Arguing with myself a bit here. On 5/25/2010 12:06 PM, Marsh Ray wrote: > On 5/20/2010 7:20 PM, Matt McCutchen wrote: >> When >> "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref" >> is off, Firefox will refuse to perform a server-initiated >> renegotiation with a non-RFC-5746 server. What is the purpose of this >> behavior? It doesn't mitigate the vulnerability because in the attack >> scenario, the client believes it is performing an initial >> negotiation. > > If the client goes ahead and completes the handshake, sending his client > cert and/or cookies, he may be giving those authentication credentials > to the bad guy's malicious request being buffered at the server.
But by that logic, the client should refuse to handshake at all with a non-RFC-5746 server. (In reality that eventually needs to become the default behavior). Seeing a server-initiated renegotiation from a non-RFC-5746 server is bad because you now know that the server is more than just theoretically vulnerable. I suspect that some of the "security.ssl.*" parameters may equally apply to server side uses of NSS, in which case it is clearly a useful mitigation. - Marsh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
