On 03/28/2012 03:07 PM, Yoav Nir wrote:
>>
>> Approximately half the world's webservers were vulnerable to a
>> man-in-the-middle attack, sometimes quite severe.
>
> Half? Which half wasn't?
>
> Sure, the amount of damage an attacker could do varied: the firewall
> that I could power down or disable the security policy from would
> count as a lot of damage, plus any case where money could be stolen,
> while servers where the attack was not exploitable (because maybe
> they used randomized ephemeral paths) would count as little damage,
> but where there actual servers where you could not inject a prefix?
MS IIS tended to not be vulnerable much of the time because it didn't
accept client-initiated renegotiation. But it was still vulnerable when
configured with client certs or certain other checkboxes were set.
There are probably still other devices around where renegotiation was
simply not implemented. A lot of https hosts serve nothing but static
content to the public anyway and would likely not be 'vulnerable' in the
strict sense.
So in my head I combined IIS's less-than-half market share with a guess
about a smaller percentage of other devices and web apps that were (by
accident) not effectively vulnerable to come up with the ballpark figure
'half'.
We could certainly come up with a better number, but why would we need it?
- Marsh
_______________________________________________
TLS mailing list
TLS@...
https://www.ietf.org/mailman/listinfo/tls
