[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-hoffman-rfc2487bis-03.txt

To: "RL 'Bob' Morgan" <rlmorgan@xxxxxxxxxxxxxx>, Lutz Jaenicke <Lutz.Jaenicke@xxxxxxxxxxxxxxxxx>
Subject: Re: draft-hoffman-rfc2487bis-03.txt
From: Marc Shannon <Marc.Shannon@xxxxxxx>
Date: Tue, 29 Aug 2000 14:13:50 -0700
Cc: ietf-apps-tls@xxxxxxx
List-archive: <http://www.imc.org/ietf-apps-tls/mail-archive/>
List-id: <ietf-apps-tls.imc.org>
List-unsubscribe: <mailto:ietf-apps-tls-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-apps-tls@xxxxxxxxxxxx

> A client that wants to protect itself against an active attacker deleting
> the STARTTLS in the EHLO from the server should go ahead and do STARTTLS
> anyway.

I'm sorry, but perhaps I'm missing something here.

If an active attacker (I presume you mean as a man-in-the-middle attack)
deletes the STARTTLS extension offering, then what's to stop it from
responding 4xx (or 5xx, although it probably wouldn't as it wants to receive
the message) to the STARTTLS command and hoping that the client would
proceed with plain-text anyway.

--Marc

References:
- Re: draft-hoffman-rfc2487bis-03.txt
  - From: RL 'Bob' Morgan

Prev by Date: Re: draft-hoffman-rfc2487bis-03.txt
Next by Date: Re: draft-hoffman-rfc2487bis-03.txt
Previous by thread: Re: draft-hoffman-rfc2487bis-03.txt
Next by thread: Re: draft-hoffman-rfc2487bis-03.txt
Index(es):
- Date
- Thread