[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [authmeth] effect of StartTLS on authentication state
Kurt D. Zeilenga writes:
> For the life of me, I cannot imagine why a client would do
> simple+StartTLS+modify
> or even
> simple+StartTLS+search-for-user-application-objects
However, an attacker could insert a bind before the StartTLS in a client
which expects to run with anonymous auth and which grants access to
something depending on what is returned from the search. I can vaguely
imagine that this could be a problem in rare cases.
And of course, the attacker could insert another bind after the client's
bind if the client does simple+StartTLS+modify.
--
Hallvard