Hi Yaron,
Well, I guess you're right... Thanks for detecting this error. Could you open an erratum please?
Yes, just done. -- Julien ÉLIE
Actually I think the paragraph reads better in Sec. 2.2 because Sec. 2.1 is all about HTTP, but we should have picked a more inclusive heading for 2.2, maybe "STARTTLS and the STARTTLS Command Injection Attack (CVE-2011-0411)".In that case, there would be a reference problem with RFC 7525 because Section 3.2 of RFC 7525 mentions Section 2.1 for lack of STARTTLS (and not 2.2): The following recommendations are provided to help prevent SSL Stripping (an attack that is summarized in Section 2.1 of [RFC7457]): o Application protocols typically provide a way for the server to offer TLS during an initial protocol exchange, and sometimes also provide a way for the server to advertise support for TLS (e.g., through a flag indicating that TLS is required); unfortunately, these indications are sent before the communication channel is encrypted. A client SHOULD attempt to negotiate TLS even if these indications are not communicated by the server.
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
