<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Agreed!<div><br></div><div>However it's only (-:™:-) an implementation bug, so it's straightforward (-:™:-) to fix. |-P</div><div><br></div><div>A couple of months ago yet another protocol error in TLS renegotiation was discovered. It's comparable to the one in 2008 that prompted TLS 1.1. AFAIK they have not yet even decided how to fix it this time and there is talk that the fix should be more comprehensive (and done by different people) than the last one. The net effect is to break the cryptographic binding between the cert(s) and the channel, permitting MITM attacks (even when client certs are used). Short-term mitigation is to disable TLS renegotiation. No big deal for short connections, but theoretically a bad idea for large data volumes.</div><div><br></div><div>This has to be really embarrassing to all the black-funded experts who analyzed TLS 1.0 and pronounced it secure. They obviously didn't look at renegotiation, only the initial connection.</div><div><br><div><div>On Apr 8, 2014, at 11:16 AM, Matthew Campbell <<a href="mailto:dvdmatt@gmail.com">dvdmatt@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><p dir="ltr">Wow this is major.</p><p dir="ltr">Matt<br>
</p>
<div class="gmail_quote">On Apr 7, 2014 6:08 PM, "Rae Yip" <<a href="mailto:rae.yip@gmail.com">rae.yip@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In case you haven't heard, patch your OpenSSL libraries:<br>
<br>
<a href="http://heartbleed.com/" target="_blank">http://heartbleed.com/</a><br>
<br>
And then change your secrets.<br>
<br>
John K, you must be feeling pretty smug right now. ;)<br>
<br>
-Rae.<br>
<br>
</blockquote></div>
</blockquote></div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><div>Personal email. <a href="mailto:hbhotz@oxy.edu">hbhotz@oxy.edu</a></div><div><br></div></span><br class="Apple-interchange-newline">
</div>
<br></div></body></html>