[Haskell-cafe] heads-up: tls v2.0.0
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Jan 19 20:01:51 UTC 2024
On Fri, Jan 19, 2024 at 10:55:15AM +0100, Jo Durchholz wrote:
> > That's far from accurate. TLS 1.0, though dated, is quite adequate for
> > many non-browser applications.
>
> Well... sort-of. It depends on SHA-1 for initial handshake and peer
> authentication (both relevant to prevent man-in-the-middle attacks),
Actually, the TLS 1.0 hash algorithm used in digital signatures is
SHA1+MD5, and there are no known practical attacks on that construction.
https://datatracker.ietf.org/doc/html/rfc2246#section-7.4.3
select (SignatureAlgorithm)
{ case anonymous: struct { };
case rsa:
digitally-signed struct {
opaque md5_hash[16];
opaque sha_hash[20];
};
case dsa:
digitally-signed struct {
opaque sha_hash[20];
};
} Signature;
There are some theoretical attacks on concatenated hashes that suggest
they're not quite as strong as one might naïvely hope, but this has
little practical impact.
The TLS 1.0 bulk ciphers use SHA1-HMAC (not raw SHA1):
https://datatracker.ietf.org/doc/html/rfc2246#section-6.2.3.1
There are no known practical attacks on HMAC. In the browser context,
there have been some practical attacks on CBC mac-then-acrypt ciphers
used in TLS 1.0, but they're easily mitigated by negotiating EtM:
https://datatracker.ietf.org/doc/html/rfc7366#section-2
In any case, communication with legacy systems via TLS 1.0 is
substantially safer than in the clear.
--
Viktor.
More information about the Haskell-Cafe
mailing list