How bulletproof is TLS Downgrade SCSV ?
Bogdan Harjoc
2014-10-15 15:53:58 UTC
How does the newly introduced [1] support for the Downgrade SCSV stop
an attacker from removing the SCSV from an outgoing ClientHello ? Am I
missing something, or is there no hash to ensure that the ClientHello
received by the server has not been tampered with ?

[1] https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-02
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Salz, Rich
2014-10-15 16:15:10 UTC
The hello message is protected by digests at the end of the handshake.

Otherwise the national scale adversary (NSA) could tweak anything. The point about fallback is the attacker doesn't have to touch the content to make the client fallback, it just has to interrupt at the TCP layer

Principal Security Engineer, Akamai Technologies
IM: ***@jabber.me Twitter: RichSalz

�zt�,����-��i��0Š^��%����Һ�h���X������^��%�ǫ��(z��e��F����)��br ���+