Freeze Break: SSLv3
Till Maas
opensource at till.name
Thu Oct 16 16:29:10 UTC 2014
On Wed, Oct 15, 2014 at 11:15:44AM -0600, Kevin Fenzi wrote:
> On Wed, 15 Oct 2014 17:47:37 +0200
> Till Maas <opensource at till.name> wrote:
>
> > the current issue only allows an attack against the secrecy of SSL
> > communication. This does not seem to be a problem for koji as used in
> > Fedora, since it uses client certificates for authentication and
> > therefore there should be no secret cookie that could be obtained.
> > Also the attack requires the attacker to be able to make the victim
> > send special SSL messages/HTTP requests, which is also not feasible
> > if only the koji command line client is used, which is how most if
> > not all people access koji when they are authenticated.
>
> My thought was that someone could get another users cert. Which, if the
> user was an admin would allow them to do all sorts of bad things.
>
> The cert itself isn't exposed via this?
Technically it would be the private key that needs to be protected, and
since it is not transfered in TLS messages it stays protected against
this attack.
Regards
Till
More information about the infrastructure
mailing list