On 2014-07-31 01:29, Ondrej Mikle wrote:
I should probably add that a MitM attacker like an ISP can generally tamper with
certificate chains sent in TLS handshake anyway, but AIA fetching would allow an
adversary more hops away on a different continent to tamper with the connection.
How would
- Original Message -
From: Kurt Roeckx k...@roeckx.be
To: mozilla-dev-security-pol...@lists.mozilla.org
Sent: Thursday, 31 July, 2014 9:54:45 AM
Subject: Re: Dynamic Path Resolution in AIA CA Issuers
On 2014-07-31 01:29, Ondrej Mikle wrote:
I should probably add that a MitM
On 07/31/2014 09:54 AM, Kurt Roeckx wrote:
On 2014-07-31 01:29, Ondrej Mikle wrote:
I should probably add that a MitM attacker like an ISP can generally tamper
with
certificate chains sent in TLS handshake anyway, but AIA fetching would
allow an
adversary more hops away on a different
On 7/30/2014 3:14 PM, David E. Ross wrote:
On 7/30/2014 12:17 PM, Kathleen Wilson wrote:
On 7/28/14, 11:00 AM, Brian Smith wrote:
I suggest that, instead of including the cross-signing certificates in
the NSS certificate database, the mozilla::pkix code should be changed
to look up those
On Thu, Jul 31, 2014 at 05:15:58PM +0200, Ondrej Mikle wrote:
On 07/31/2014 09:54 AM, Kurt Roeckx wrote:
On 2014-07-31 01:29, Ondrej Mikle wrote:
I should probably add that a MitM attacker like an ISP can generally
tamper with
certificate chains sent in TLS handshake anyway, but AIA
On 07/31/2014 07:37 PM, Kurt Roeckx wrote:
On Thu, Jul 31, 2014 at 05:15:58PM +0200, Ondrej Mikle wrote:
On 07/31/2014 09:54 AM, Kurt Roeckx wrote:
On 2014-07-31 01:29, Ondrej Mikle wrote:
I should probably add that a MitM attacker like an ISP can generally
tamper with
certificate chains
On Thu, July 31, 2014 4:31 pm, Ondrej Mikle wrote:
This is interesting. I checked TLS 1.2 RFC 5246 whether Finished message
should
work this way, but I'm not sure. I think you mean that
Hash(handshake_messages) should detect this, right? But it's still just
hash,
thus again not
On Wed, Jul 30, 2014 at 12:17 PM, Kathleen Wilson kwil...@mozilla.com wrote:
On 7/28/14, 11:00 AM, Brian Smith wrote:
I suggest that, instead of including the cross-signing certificates in
the NSS certificate database, the mozilla::pkix code should be changed
to look up those certificates
On Wed, Jul 30, 2014 at 12:17:27PM -0700, Kathleen Wilson wrote:
On 7/28/14, 11:00 AM, Brian Smith wrote:
I suggest that, instead of including the cross-signing certificates in
the NSS certificate database, the mozilla::pkix code should be changed
to look up those certificates when attempting
On 7/30/2014 12:17 PM, Kathleen Wilson wrote:
On 7/28/14, 11:00 AM, Brian Smith wrote:
I suggest that, instead of including the cross-signing certificates in
the NSS certificate database, the mozilla::pkix code should be changed
to look up those certificates when attempting to find them
On 07/30/2014 09:17 PM, Kathleen Wilson wrote:
On 7/28/14, 11:00 AM, Brian Smith wrote:
I suggest that, instead of including the cross-signing certificates in
the NSS certificate database, the mozilla::pkix code should be changed
to look up those certificates when attempting to find them
On 07/31/2014 01:17 AM, Ondrej Mikle wrote:
On 07/30/2014 09:17 PM, Kathleen Wilson wrote:
[...]
So, Should we do this?
Does it introduce security concerns?
It definitely introduces non-deterministic behavior controlled by a potential
MitM attacker, in addition being hard to debug.
12 matches
Mail list logo