Date: Mon, 18 May 2015 08:52:28 -0500 From: Mark Felder <feld@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: Forums.FreeBSD.org - SSL Issue? Message-ID: <1431957148.2823348.271640449.22FB98B2@webmail.messagingengine.com> In-Reply-To: <55591EE8.9070101@obluda.cz> References: <CACRVPYOALi-V8D34zeJTYdSwHshYrqtttqVV3=aP8Yb6ZAxfyg@mail.gmail.com> <2857899F-802E-4086-AD41-DD76FACD44FB@modirum.com> <05636D22-BBC3-4A15-AC44-0F39FB265CDF@patpro.net> <20150514193706.V69409@sola.nimnet.asn.au> <F2460C80-969A-46DF-A44F-6C3D381ABDC3@patpro.net> <5554879D.7060601@obluda.cz> <1431697272.3528812.269632617.29548DB0@webmail.messagingengine.com> <5556E5DC.7090809@obluda.cz> <1431894012.1947726.271026057.54BB4786@webmail.messagingengine.com> <55590817.1030507@obluda.cz> <1431900010.1965646.271069369.67E0F082@webmail.messagingengine.com> <55591EE8.9070101@obluda.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, May 17, 2015, at 18:06, Dan Lukes wrote: > On 05/18/15 00:00, Mark Felder: > >> If TLS 1.0 is considered severe security issue AND system utilities are > >> using it, why there is no Security Advisory describing this system > >> vulnerability ? > >> > > > > It's not a vulnerability in software, it's weakness in the protocol > > design. > > Like protocol protocol downgrade triggered by MITM attack flaw or > protocol design flaw in session renegotiation support. The first one > addressed in FreeBSD-SA-14:23.openssl, the second one in > FreeBSD-SA-09:15.ssl > > So the "is it protocol flaw or implementation bug" seems not to be true > major criteria. > > OK, I wish I got best answer to my question possible. I'm not going to > discuss SA issuing policy in this thread. > FreeBSD-SA-14:23: primarily backported a new feature (TLS_FALLBACK_SCSV) to help prevent those with stronger crypto from being forced to downgrade to weak crypto via a MITM attack FreeBSD-SA-09:15: fixes some bugs dealing with potential MITM attacks Neither of these directly address a broken protocol, such as warning all users that "using SSL 3.0 or TLS 1.0 is dangerous" I mean, should we have an SA because our libc supports strcpy and people can use that and create severe vulnerabilities? Or the fact that there is no firewall enabled by default, so you should probably enable one? That seems a bit extreme. You could write a whole book and still not cover all of these topics :-) Hope that helps
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1431957148.2823348.271640449.22FB98B2>