Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210811081634.15143171@computer>
Date: Wed, 11 Aug 2021 08:16:34 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: STARTTLS vulnerabilities

Hi,

On Tue, 10 Aug 2021 15:41:56 +0200
Guido Berhoerster <guido+openwall.com@...hoerster.name> wrote:

> have you or are you planning to look into XMPP client/server
> implementations as well?  The use of STARTTLS for both c2s and s2s
> connections is still prevalent both in terms of implementation
> support and actual practice and could potentially suffer form the
> same issues (command injection or downgrade attacks).

We have not looked much into other protocols, and given how much time
we've already spent on the topic I think it is unlikely that we will do
this.

Of course it's a very obvious idea for further research to look if one
finds similar vulnerabilities to the ones we found in other protocols.
So I'd really like to encourage other people to look for this.

FWIW there are a lot of protocols with a STARTTLS mechanism, here's the
list of supported protocols by OpenSSL:
	smtp
	pop3
	imap
	ftp
	xmpp
	xmpp-server
	telnet
	irc
	mysql
	postgres
	lmtp
	nntp
	sieve
	ldap


-- 
Hanno Böck
https://hboeck.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.