Re: SslStream weakness
- From: "Alun Jones" <alun@xxxxxxxxxxxxx>
- Date: Thu, 28 Dec 2006 16:38:05 -0800
"John Banes" <jabanes@xxxxxxxxxxxxxxxxxx> wrote in message
news:e%23PdTeWBHHA.4472@xxxxxxxxxxxxxxxxxxxxxxx
The .NET classes use schannel for SSL/TLS operations. I'm not a .NET
expert by any means, but I know this because I owned schannel for years,
and I remember helping out the .NET guys as they were implementing their
code (five minutes with a debugger would tell me the same thing). I'm not
sure if the .NET classes support sending CloseNotify messages or not,
though. Personally, I've always considered the truncation attack to be
fairly low priority in the grand scheme of things.
It's utterly unimportant on any protocol that includes its own information
as to when to expect the end of the data - HTTP, for instance, with its
Content-Length, or chunked encoding.
For protocols where the end of the data is indicated by the end of the TCP
stream, however, it's important that you correctly close the SSL stream
before the TCP stream, or else it would be relatively easy for an attacker
to curtail a stream of data without the recipient realising it. It's an
important, and relatively inexpensive, security measure for such protocols -
FTP is one example of such a protocol.
Alun.
~~~~
.
- Prev by Date: Re: Need help decoding file DACL ACCESS_MASK
- Next by Date: answer to Compile errors "CertGetNameString undefined "
- Previous by thread: getting computed shared secret from DH key agreement
- Next by thread: answer to Compile errors "CertGetNameString undefined "
- Index(es):
Relevant Pages
|
