W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: TLS Renegotiation and HTTP/2 (#363)

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 1 Apr 2014 15:21:20 +0300
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140401122120.GA866@LK-Perkele-VII>
On Tue, Apr 01, 2014 at 02:02:09PM +0300, Yoav Nir wrote:
> 
> Server sends:
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: Certs
>         realm = “example.com”
>         challenge="EKgoC3wwy8KuJROo/gmG1we43c5av9OwOlWaYVPStsw=“
> 
> Client sends:
> Authorization: Certs
>         realm=“example.com”
>         hash=“SHA-256”
>         cert=“MIIGzTCC...gpECY="
>                 challenge="EKgoC3wwy8KuJROo/gmG1we43c5av9OwOlWaYVPStsw=“
>         signature=“FIMe3WLvlgX3BgJKYN0DXj4UGuauq5fwXgZErnFgVR0=“
> 
> All you really need with client certificate authentication is to show the certificate and sign something of the server’s choosing. You can make it fancier by having the server list supported hashes and trusted CAs, but that’s not strictly necessary.
 
That looks to be vulernable to forwarding and MITM attacks...


-Ilari 
Received on Tuesday, 1 April 2014 12:21:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:29 UTC