From: Julien (prospi@gmail.com)
Date: Sat Oct 21 2006 - 08:05:13 EDT
Hi ,
> Also, does your implementation do perform correct client/server
> certificate validation?
Yes, it's implemented...
>If someone adds or removes encrypted
> data, or modifies it in transit, will your implementation detect it?
I don't don't know for the moment. By reading the design docs I think
it have to detect this kind of "attack".
Thanks all
2006/10/21, Tim <tim-pentest@sentinelchicken.org>:
>
> > I have to test TLS implementation on our product. Ths goal is not to
> > discover a threat in TLS but to find threat in our implementation.
> > In my test I'll do :
> > - MitM
> > - Replay attack (I think it will not be possible because of TLS timestamps )
> > - Dos
> > - Sniffing (to check that all communications are encrypted)
> >
> > What other tests could be done ?
>
> Well, there's always modification. If someone adds or removes encrypted
> data, or modifies it in transit, will your implementation detect it?
> This is particularly important when using stream cipher based
> ciphersuites.
>
> Also, does your implementation do perform correct client/server
> certificate validation? It's a pretty complex process, and other major
> implementations have had bugs in the past in this area.
>
> good luck,
> tim
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:14 EDT