On Tuesday, December 01, 2015 02:28:49 pm Watson Ladd wrote: > https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf
This analysis was done against TLS 1.3 draft 07 from July. It changed to RSA-PSS signatures for handshake messages in draft 09. (current is draft 11; draft 12 is pending) This doesn't seem to change anything, though. QUIC also uses PSS. > This one looks very nasty to fix. Short of disallowing the use of RSA > certificates for TLS 1.2 with the RSA handshake and in TLS 1.3, I > don't see a good fix. I haven't read this paper in detail yet. I think it's reasonable at this point to publish a diediedie RFC for plain RSA use in all TLS versions and mandate expectation of (EC)DHE with RSA (or any certificate) everywhere. This technically wouldn't apply to IE6 on XP, as that's generally using SSL3, which already got its diediedie (MS left TLS 1.0 off by default forever; anyone who can fix that can install something less than 15 years old). IE7+ on Vista+ & Java 6+ support FS RSA cipher suites. > Cross-protocol attacks are the gift that keeps giving. Or, yet another lesson that just deprecating old features with new protocols is not enough. Keeping known-weak features around forever for backwards compatibility always seems to hurt you eventually. Dave _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
