[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: StartTLS and referral

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: StartTLS and referral
From: mcs@netscape.com (Mark C Smith)
Date: Fri, 09 Aug 2002 08:50:23 -0400
Cc: ietf-ldapbis@OpenLDAP.org
Organization: Netscape Communications Corp.
References: <5.1.0.14.0.20020802000147.03035cb0@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.0) Gecko/20020611

Interesting issue. Perhaps servers should not return referrals for startTLS extended ops. and clients should ignore referrals if returned? It seems appropriate to provide some advice in this area.

--
Mark Smith
AOL Strategic Business Solutions
Netscape Directory Product Development
My words are my own, not my employer's.

Kurt D. Zeilenga wrote:

As anyone thought much about the security considerations
of allowing StartTLS to return a referral.  The is no
discussion in RFC2830 that discusses how an attacker,
by injecting a StartTLS response into the stream,
could redirect the client to a server of its choosing
(with a certificate of its choosing).

Give that many clients auto chase referrals... and
auto-verify certificates, the client might even not notice
that it re-connected to a rogue server with a verifiable
certificate.  That is, verifiable with the host name of
the rogue server name.  I don't it would make sense
operationally to require the client to verify using the
host name of the original server, but it might sense
security wise.

Same, I guess, applies to Bind operations... or
initial discovery of security features.

Anyways, food for thought.

References:
- StartTLS and referral
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: I-D ACTION:draft-zeilenga-ldapbis-strmatch-00.txt
Next by Date: Re: I-D ACTION:draft-ietf-ldapbis-iana-09.txt
Index(es):
- Chronological
- Thread