Well, I guess you're right... Thanks for detecting this error. Could you
open an erratum please?
Thanks,
Yaron
On 21/12/16 23:16, Julien ÉLIE wrote:
Hi Yaron,
Actually I think the paragraph reads better in Sec. 2.2 because Sec. 2.1
is all about HTTP, but we should have picked a more inclusive heading
for 2.2, maybe "STARTTLS and the STARTTLS Command Injection Attack
(CVE-2011-0411)".
In that case, there would be a reference problem with RFC 7525 because
Section 3.2 of RFC 7525 mentions Section 2.1 for lack of STARTTLS (and
not 2.2):
The following recommendations are provided to help prevent SSL
Stripping (an attack that is summarized in Section 2.1 of [RFC7457]):
o Application protocols typically provide a way for the server to
offer TLS during an initial protocol exchange, and sometimes also
provide a way for the server to advertise support for TLS (e.g.,
through a flag indicating that TLS is required); unfortunately,
these indications are sent before the communication channel is
encrypted. A client SHOULD attempt to negotiate TLS even if these
indications are not communicated by the server.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
