|
|
|
|
|
|
by lambdafu
909 days ago
|
|
|
No, because there may be other messages that are ignored, i.e. don't trigger a response message. Any such message can be used for injection. The details are implementation specific, though. The new strict-kex disallows all unexpected messages during the initial handshake, which helps a lot. (Even better would be to authenticate the complete handshake transcript). Another mitigation is resetting the sequence number. Both together give some redundancy. |
|
|