[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [authmeth] effect of StartTLS on authentication state

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: [authmeth] effect of StartTLS on authentication state
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 3 Jul 2003 15:29:03 +0200
Cc: "Roger Harrison" <RHARRISON@novell.com>, ietf-ldapbis@OpenLDAP.org
In-reply-to: <5.2.0.9.0.20030701171553.01da9e50@127.0.0.1>
References: <sf01cca0.066@prv-mail20.provo.novell.com> <5.2.0.9.0.20030701171553.01da9e50@127.0.0.1>

Kurt D. Zeilenga writes:
> For the life of me, I cannot imagine why a client would do
>     simple+StartTLS+modify
> or even
>     simple+StartTLS+search-for-user-application-objects

However, an attacker could insert a bind before the StartTLS in a client
which expects to run with anonymous auth and which grants access to
something depending on what is returned from the search.  I can vaguely
imagine that this could be a problem in rare cases.

And of course, the attacker could insert another bind after the client's
bind if the client does simple+StartTLS+modify.

-- 
Hallvard

References:
- [authmeth] effect of StartTLS on authentication state
  - From: "Roger Harrison" <RHARRISON@novell.com>
- Re: [authmeth] effect of StartTLS on authentication state
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: I-D ACTION:draft-ietf-ldapbis-models-08.txt
Next by Date: Re: [authmeth] effect of StartTLS on authentication state
Index(es):
- Chronological
- Thread