- From: Ravi Ganesan <ravi@findravi.com>
- Date: Fri, 12 Feb 2010 12:42:43 -0800
- To: Ben Wilson <ben@digicert.com>
- Cc: public-xg-mashssl@w3.org
- Message-ID: <3561bdcc1002121242t328fa05dj3348364b97436025@mail.gmail.com>
Ben, I followed this very closely. Just FYI for everyone: i) MashSSL has never had the concept of a renegotiation so was not effected in any way by this vulnerability. ii) In general this is one of the reasons I think starting with SSL is a good idea. It is constantly under scrutiny and improvement. I'd rather use a protocol like that, then one which only the bad guys know the vulnerabilities! Cheers, Ravi On Thu, Feb 11, 2010 at 10:04 AM, Ben Wilson <ben@digicert.com> wrote: > I thought that because this article discussed a weakness caused by client > authentication this group might be interested- > http://arstechnica.com/microsoft/news/2010/02/microsoft-warns-of-tslssl-flaw-in-windows.ars > > > > “Enabling the SSLAlwaysNegoClientCert setting will cause IIS to prompt the > client for a certificate upon the initial connection, and does not require a > server-initiated renegotiation. The downside is that setting this flag will > require the client to authenticate prior to loading any element from the > SSL-protected website and will thus cause the browser to always prompt the > user for a client certificate upon connecting. Alternatively, the company is > offering an update which lets system administrators disable TLS and SSL > renegotiation functionality (available at KB977377<http://support.microsoft.com/default.aspx/kb/977377>). > Microsoft admits, however, that renegotiation is required functionality for > some applications so it doesn't recommend that this workaround be used for > wide implementation (and should be tested rigorously before any > implementation).” > > > > See you on today’s call. > > > > Ben > > Benjamin T. Wilson, JD CISSP > General Counsel and EVP Industry Relations > DigiCert, Inc. > > [image: Visit DigiCert.com] <http://www.digicert.com/> > > Online: www.DigiCert.com <http://www.digicert.com/> > Email: ben@digicert.com > Toll Free: *1-800-896-7973* (US & Canada) > Direct: *1-801-701-9678* > Fax: *1-866-842-0223* (Toll Free if calling from the US or Canada) > ------------------------------ > > The information contained in this transmission may contain privileged and > confidential information. It is intended only for the use of the person(s) > named above. If you are not the intended recipient, you are hereby notified > that any review, dissemination, distribution or duplication of this > communication is strictly prohibited. If you are not the intended recipient, > please contact the sender by reply email and destroy all copies of the > original message. Thank You > -- Ravi Ganesan ravi@findravi.com www.findravi.com
Received on Friday, 12 February 2010 20:43:17 UTC