On 7 Apr 2016, at 13:13, Alex Bligh <a...@alex.org.uk> wrote: > I guess it's worth documenting > this, though I thought it was obvious.
The next version will have this section: ### Downgrade attacks A danger inherent in any scheme relying on the negotiation of whether TLS should be employed is downgrade attacks. There are two main dangers: * A Man-in-the-Middle (MitM) hijacks a session and impersonates the server (possibly by proxying it) claiming not to support TLS. In this manner, the client is confused into operating in a plain-text manner with the MitM (with the session possibly being proxied in plain-text to the server using the method below). * The MitM hijacks a session and impersonates the client (possibly by proxying it) claiming not to support TLS. In this manner the server is confused into oeprating in a plain-text manner with the MitM (with the session being possibly proxied to the server with the method above). With regard to the first, any client that does not wish to be subject to potential downgrade attack SHOULD ensure that if a TLS endpoint is specified by the client, it ensures that TLS is negotiated prior to sending or requesting sensitive data. To recap, yhe client MAY send `NBD_OPT_STARTTLS` at any point during option haggling, and MAY disconnect the session if `NBD_REP_ACK` is not provided. With regard to the second, any server that does not wish to be subject to a potential downgrade attack SHOULD either used FORCEDTLS mode, or should force TLS on those exports it is concerned about using SELECTIVE mode and TLS-only exports. It is not possible to avoid downgrade attacks on exports which are may be served either via TLS or in plain text. -- Alex Bligh