On Fri, 09 Oct 2015 12:48:38 -0000, Karthikeyan Bhargavan
<karthik.bharga...@gmail.com> wrote:
- We note that RSA ciphersuites already provide a version downgrade
mitigation,
although it has itself caused many headaches due to bleichenbacher
attacks.
But if a server implements good side-channel resistance to
bleichenbacher attacks,
TLS 1.3 can be protected from downgrades to both RSA and (EC)DHE
ciphersuites in
older protocol versions.
For reference, the version field in the TLS premaster secret is not
checked by many servers, IIRC some of them have large market shares.
--
Sincerely,
Yngve N. Pettersen
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
