On Tue, Aug 7, 2018 at 11:08:12PM +0300, Heikki Linnakangas wrote:
> >I know this is an academic question now, but I am not sure this is true.
> >A man-in-the-middle attacker could say they don't support channel
> >binding to the real client and real server and pretend to be the real
> >server. What would work is to hash the secret in with the supported
> >channel binding list. This is how TLS works --- all previous messages
> >are combined with the secret into a transmitted hash to prevent a MITM
> >from changing it.
>
> Yeah, that is what I meant. Currently, when client chooses to not use
> channel binding, it the sends a single flag, y/n, to indicate whether it
> thinks the server supports channel binding or not. That flag is included in
> the hashes used in the authentication, so if a MITM tries to change it, the
> authentication will fail. If instead of a single flag, it included a list of
> channel binding types supported by the server, that would solve the problem
> with supporting multiple channel binding types.
Yes, agreed.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +