David Benjamin <david...@chromium.org> writes: >EMS does not fix the ServerKeyExchange signature payload. It's still just the >randoms and not the full transcript.
Maybe we're talking about different things here, EMS hashes the full transcript, for 1.0 and 1.1 with the dual SHA-1 and MD5 hash, for 1.2 with whatever's negotiated, hopefully SHA-2 (even if SHA-1 is used, you've now got two hashes you need to defeat simultaneously, not one). So while the ServerKeyExchange signature may not detect an attacker able to compromise SHA-1 in real time (and that statement alone should tell you how feasible the attack actually is), the later EMS will. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls