On 04/10/2014 12:29 AM, James A. Donald wrote: > On 08/04/14 11:46, ianG wrote: >>> We have here a rare case of a broad break in a security protocol leading >>> to compromise of keys. > > On 2014-04-09 21:53, Alan Braggins wrote: >> Though it's an implementation break, not a protocol break. > > Not exactly. The protocol failed to define a response to nonsensical > records. The bug was that the protocol responded to invalid records the > same way as if they were valid. > > The protocol should have said "a valid record shall satisfy the > following requirements. Invalid records shall be silently discarded and > all actions that depend on them silently terminated."
Well, the RFC [1] (end of p5) does say : If the payload_length of a received HeartbeatMessage is too large, the received HeartbeatMessage MUST be discarded silently. I guess that doesn't say "longer than actual payload" though so it doesn't explicitly call out the case that caused the problem. I figure there are some protocol design lessons maybe. There's a thread started on the TLS list about it today. [2] Be interesting to see what that turns up. S. [1] https://tools.ietf.org/html/rfc6520 [2] https://www.ietf.org/mail-archive/web/tls/current/msg11891.html > > > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > > _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography