W3C home > Mailing lists > Public > public-xg-mashssl@w3.org > February 2010

Re: [MashSSL]Microsoft warns of TLS/SSL flaw in Windows

From: Ravi Ganesan <ravi@findravi.com>
Date: Fri, 12 Feb 2010 12:42:43 -0800
Message-ID: <3561bdcc1002121242t328fa05dj3348364b97436025@mail.gmail.com>
To: Ben Wilson <ben@digicert.com>
Cc: public-xg-mashssl@w3.org
Ben, I followed this very closely. Just FYI for everyone:

i)  MashSSL has never had the concept of a renegotiation so was not effected
in any way by this vulnerability.

ii) In general this is one of the reasons I think starting with SSL is a
good idea. It is constantly under scrutiny and improvement. I'd rather use a
protocol like that, then one which only the bad guys know
the vulnerabilities!

Cheers, Ravi

On Thu, Feb 11, 2010 at 10:04 AM, Ben Wilson <ben@digicert.com> wrote:

>  I thought that because this article discussed a weakness caused by client
> authentication this group might be interested-
> http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-tslssl-flaw-in-windows.ars
>
>
>
> “Enabling the SSLAlwaysNegoClientCert setting will cause IIS to prompt the
> client for a certificate upon the initial connection, and does not require a
> server-initiated renegotiation. The downside is that setting this flag will
> require the client to authenticate prior to loading any element from the
> SSL-protected website and will thus cause the browser to always prompt the
> user for a client certificate upon connecting. Alternatively, the company is
> offering an update which lets system administrators disable TLS and SSL
> renegotiation functionality (available at KB977377<http://support.microsoft.com/default.aspx/kb/977377>).
> Microsoft admits, however, that renegotiation is required functionality for
> some applications so it doesn't recommend that this workaround be used for
> wide implementation (and should be tested rigorously before any
> implementation).”
>
>
>
> See you on today’s call.
>
>
>
> Ben
>
> Benjamin T. Wilson, JD CISSP
> General Counsel and EVP Industry Relations
> DigiCert, Inc.
>
> [image: Visit DigiCert.com] <http://www.digicert.com/>
>
> Online: www.DigiCert.com <http://www.digicert.com/>
> Email: ben@digicert.com
> Toll Free: *1-800-896-7973* (US & Canada)
> Direct: *1-801-701-9678*
> Fax: *1-866-842-0223* (Toll Free if calling from the US or Canada)
>  ------------------------------
>
> The information contained in this transmission may contain privileged and
> confidential information. It is intended only for the use of the person(s)
> named above. If you are not the intended recipient, you are hereby notified
> that any review, dissemination, distribution or duplication of this
> communication is strictly prohibited. If you are not the intended recipient,
> please contact the sender by reply email and destroy all copies of the
> original message. Thank You
>



-- 
Ravi Ganesan
ravi@findravi.com
www.findravi.com
Received on Friday, 12 February 2010 20:43:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 12 February 2010 20:43:17 GMT