Hector Santos <[email protected]> writes: > Russ Allbery wrote:
>> It's not supposed to trust what the server said before STARTTLS, since >> everything sent before STARTTLS may have been provided by a >> man-in-the-middle attacker. It's stronger than just not assuming that >> the same extensions apply. Even if extensions happen to still be >> available, trusting the extension return before STARTTLS can permit an >> attacker to launch a down-negotiation attack, for example. > Maybe I don't see it. If the client is being fooled, one would think > that it would be to relax the client, not push it into a more secured > mode. Right, that's what a down-negotiation attack is. The attacker would, for instance, advertise that the server supported authentication but only list weak authentication protocols. If the client then proceeded on the basis of the extension list from the attacker, it would use a weaker (and possibly vulnerable) authentication protocol instead of a stronger one that the server actually supports. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
