Date: Thu, 10 Dec 2009 16:29:24 +0100 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: "Barry Raveendran Greene" <bgreene@senki.org> Cc: 'Bogdan =?utf-8?Q?=C4=86ulibrk'?= <bc@default.rs>, freebsd-security@freebsd.org, wollman@bimajority.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-09:15.ssl Message-ID: <864onyluej.fsf@ds4.des.no> In-Reply-To: <000301ca79a6$d24cc8e0$76e65aa0$@org> (Barry Raveendran Greene's message of "Thu, 10 Dec 2009 06:41:00 -0800") References: <4B20D86B.7080800@default.rs> <000301ca79a6$d24cc8e0$76e65aa0$@org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Barry Raveendran Greene" <bgreene@senki.org> writes: > You will have to wait on the TLS Working Group in the IETF to finish > if your application needs renegotiation. The correct anser is: You will have to perform a threat assessment to determine how likely a MITM attack is, how serious the consequences would be, whether the product of these two factors is sufficiently low to justify continued operation with a flawed protocol, and, should you decide to go on, what measures can be put in place to mitigate the consequences of an attack. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?864onyluej.fsf>