On Tue, 1 Dec 2015 14:28:49 -0500 Watson Ladd <watsonbl...@gmail.com> wrote:
> https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf > > This one looks very nasty to fix. Short of disallowing the use of RSA > certificates for TLS 1.2 with the RSA handshake and in TLS 1.3, I > don't see a good fix. I haven't read this paper in detail yet. > > Cross-protocol attacks are the gift that keeps giving. Correct me if I'm wrong, but as I understand the result (and I had one of the authors explaining it to me a few days ago) the problem appears only if you have a TLS 1.2 implementation with an RSA keyexchange that is vulnerable to a bleichenbacher attack. If it is not then you're fine. So as long as you make sure you implement all the proper countermeasures against that you should be fine. (Granted: This is tricky, as has been shown by previous results, even the OpenSSL implementation was lacking proper countermeasures not that long ago, but it's not impossible) Deprecating the RSA keyexchange just became a bit harder with Google's intent to deprecate DHE in Chrome and use RSA as the fallback if the host doesn't do ECDHE. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpbTiNagGGw2.pgp
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
