TLS Man-In-The-Middle Vulnerability
Erwin Lam
erwinlam at dds.nl
Sun Nov 22 22:47:36 UTC 2009
On Thursday 12 November 2009 03:15:20 Nick Mathewson wrote:
> On Wed, Nov 11, 2009 at 12:59:21PM -0500, Andrew S. Lists wrote:
> > On 11/05/09 15:52, Nick Mathewson wrote:
> > > On Thu, Nov 05, 2009 at 02:10:00PM -0500, Marcus Griep wrote:
> > >> Don't know if any one else has seen or taken a look at this. I
> > >> don't know if this affects Tor, though I believe that we do use
> > >> certificate renegotiation in the protocol, and that is the entry
> > >> vector for this particular vulnerability:
> > >
> > > FWIW, this doesn't affect Tor. The problem here is not
> > > renegotiation per se; the problem is doing renegotiation, then
> > > acting as though data sent _before_ the renegotiation were
> > > authenticated with the rengotiated credentials.
> > >
> > > The Tor protocol isn't vulnerable here because 1) it doesn't
> > > allow data to be sent before the renegotiation step, and 2) it
> > > doesn't treat a renegotiation as authenticating previously
> > > exchanged data (because there isn't any).
> >
> > The vulnerability itself might not effect Tor, but the OpenSSL
> > workaround for this vulnerability of disabling renegotiation by
> > default in 0.9.8l [1] might not play nice with a Tor
> > implementation.
>
> Indeed it will not. We have a fix in svn to make the 0.2.1.x and
> 0.2.2.x-alpha series both work correctly with OpenSSL 0.9.8l. With
> any luck, we should get releases out before too long.
Hi Nick,
Would you mind releasing that updated version a.s.a.p. Tor doesn't work
here at all anymore
Regards,
Erwin
--
Erwin Lam (erwinlam at dds.nl)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20091122/b6c66e44/attachment.pgp>
More information about the tor-talk
mailing list