Closed sam-golioth closed 11 months ago
github-actions[bot]
commented
1 year ago Visit the preview URL for this PR (updated for commit 2ab7986):
https://golioth-zephyr-sdk-doxygen-dev--pr432-enable-extended-gyb3h862.web.app
(expires Wed, 18 Oct 2023 19:49:03 GMT)
🔥 via Firebase Hosting GitHub Action 🌎
Sign: a389eefadf4b4b68a539327b3459dd66c142cf49
mniestroj
commented
1 year ago Is this Extended Master Secret enforced by the client? What happens if server respond without this option, would client drop the connection as being potential man-in-the-middle attack?
sam-golioth
commented
12 months ago Is this Extended Master Secret enforced by the client? What happens if server respond without this option, would client drop the connection as being potential man-in-the-middle attack?
Hmm, that's a good question. I did some searching around and I'm not sure. I hope it drops it, otherwise it's not a very good protection, but I can't confirm.
mniestroj
commented
12 months ago Is this Extended Master Secret enforced by the client? What happens if server respond without this option, would client drop the connection as being potential man-in-the-middle attack?
Hmm, that's a good question. I did some searching around and I'm not sure. I hope it drops it, otherwise it's not a very good protection, but I can't confirm.
The reason I ask is that I probably (90% sure) was about to enable this feature in the past, haven't done it because it was not enforced anyway, i.e. not improving security because of man-in-the-middle attack. I think I tested it with mbedTLS or aiocoap, but as I say, I am not sure about it right now. Maybe we had something on Jira related to that...
Extended Master Secret is a DTLS extension that ensures the Master Secret is tied to the handshake parameters and is used to prevent certain Man in the Middle attacks.
Confirmed with wireshark that the extension is present from Client and Server during handshake and communication with Golioth proceeds as normal.
Closes golioth/firmware-issue-tracker#224