httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Sylvester <>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Thu, 05 Nov 2009 15:26:50 GMT

Isn't the real simple cause the possiblity to 'upgrade'
an "anonymous" session to a client authenticated one
initiated by the server after seeing a request to
a ressource and the problem that the client cannot
repeat the request.

In case of a GET et consorts, the result of the request
is already protected by the new ciphersuite, so the
*attacker* cannot do much more that DOS, or
(one could respond with a redirect to the same resource
to see whether it really comes from the client)

In case of a POST et consorts I think one should simply
reject the request since it seems always possible to have
the post initiated already from an appropriate security
context. Either the form is in the same directory,
or the whole thing is on another virtual server, i.e.
the client has switched already.

This are my 3 quarks.
Peter Sylvester

View raw message