Next: , Previous: , Up: The TLS record protocol   [Contents][Index]


3.3.3 Weaknesses and countermeasures

Some weaknesses that may affect the security of the record layer have been found in TLS 1.0 protocol. These weaknesses can be exploited by active attackers, and exploit the facts that

  1. TLS has separate alerts for “decryption_failed” and “bad_record_mac”
  2. The decryption failure reason can be detected by timing the response time.
  3. The IV for CBC encrypted packets is the last block of the previous encrypted packet.

Those weaknesses were solved in TLS 1.1 [RFC4346] which is implemented in GnuTLS. For this reason we suggest to always negotiate the highest supported TLS version with the peer4. For a detailed discussion of the issues see the archives of the TLS Working Group mailing list and [CBCATT].


Footnotes

(4)

If this is not possible then please consult Interoperability.