RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 7457, "Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)", February 2015

Source of RFC: uta (app)

Errata ID: 4894

Status: Reported
Type: Technical

Reported By: Julien Élie
Date Reported: 2016-12-22

Section 2.2 says:

   STARTTLS and similar mechanisms are vulnerable to downgrade attacks,
   whereby the attacker simply removes the STARTTLS indication from the
   (unprotected) request.  This cannot be mitigated unless HSTS-like
   solutions are added.

Notes:

The second paragraph in Section 2.2 ("STARTTLS Command Injection Attack") should have been in Section 2.1 ("SSL Stripping") because it concerns the attack known as "SSL Stripping".

Note that Section 3.2 of RFC 7525 refers to Section 2.1 (and not 2.2) of this RFC, when speaking about lack of advertise support for TLS.

Report New Errata