On Sat, Dec 17, 2011 at 6:11 AM, Anne van Kesteren <ann...@opera.com> wrote: > On Fri, 09 Dec 2011 19:54:31 +0100, Eric Rescorla <e...@rtfm.com> wrote: >> >> Unfortunately, many servers do not support TLS 1.1, and to make matters >> worse, they do so in a way that is not securely verifiable. By which I >> mean that an active attacker can force a client/server pair both of which >> support TLS 1.1 down to TLS 1.0. This may be detectable in some way, but not >> by TLS's built-in mechanisms. And since the threat model here is an active >> attacker, this is a problem. > > > It seems user agents are addressing this issue in general by simply removing > support for those servers so we might not have to define anything here and > just leave it to the TLS standards: > > http://my.opera.com/securitygroup/blog/2011/12/11/opera-11-60-and-new-problems-with-some-secure-servers
Sorry, I forgot to mention the 1/n+1 splitting countermeasure in my response. With that said, this isn't TLS 1.1, but rather a specific, more backwards-compatible countermeasure. It's fine for the security considerations section to say here that browsers must do either TLS 1.1 or 1/n+1 splitting, but it should say something, since it's not like 1/n+1 splitting is required by TLS (any version). -Ekr