On Wed, 16 Apr 2014 11:44:00 +0300 Georgi Guninski <guninski@xxxxxxxxxxxx> wrote: > AFAICT weak DH keys can't be recognized > since they can be well formed. Yes, I'm aware of that, has recently been discussed on the TLS WG list also. But clients could (and should imho) reject obviously bogus parameters like 8 bit moduli sizes. The solution would be to change TLS to have a fixed set of "known good" DH parameters written in the spec. This is also what the authors of the triple handshake attack have proposed. Would also save traffic because servers wouldn't have to send the DH parameter set, just an identifier. But probably won't happen before TLS 1.3. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@xxxxxxxxx GPG: BBB51E42
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/