| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
TLS evolves rapidly. We don't all have the luxury of upgrading with it, unfortunately; new versions, extensions, cipher suites, and protocols require mutual support. This poses a serious problem for those who have legacy systems that cannot be upgraded (think IoT, or any device that needs certification). Accepting the risk of using a weak (but still sufficient, or better than nothing) protocol with those systems on an interim basis shouldn't imply accepting the risk everywhere. I offer an alternative.
I propose a TLS extension that endorses certificates with certain supported features, and then performs a sanity check at the end of establishment or renegotiation. This can be used to detect and prevent downgrade attacks, and doubles as a policy enforcement tool. Falcon is a Shadytel tactical lineman and a Leviathan security consultant. He usually talks about LangSec, and recently published "The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them".
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast