On Sun, Mar 13, 2016 at 11:14:13AM +0000, Stephen Farrell wrote: > > I've been worried about this for a while now, but the recant > thread started by Kyle Nekritz [3] prompted me to send this > as I think that's likely just the tip of an iceberg. E.g., I'd > be worried about cross-protocol attacks one might be able to > try with JS in a browser if the JS can create arbitrary HTTP > header fields which I think is the case. I'm also worried about > things like EAP-TLS and RADIUS/Diameter if used via TLS etc > where we don't necessarily have the right people active on this > list. While I don't have any concrete attacks, the ability to > create replayable data smells really really bad to me and I've > no idea how we can honestly be confident we've done a good job > on TLS1.3 while such smells linger.
Also, it occurs to me that problems can arise if one tries to combine 0-RTT data with ALPN. The 0-RTT datablock is probably only appropriate for one of the protocols... If it is HTTP/2 vs. HTTP/1.1, if you get it wrong, the connection will break (the HTTP/2 prelude). Wonder if one is so fortunate with some other protocol pairs... Hmm... That got me some ideas... > I'd also note that my overall impression of the TRON w/s was that > researchers thought 1rtt was mostly ready, but that there was > no similar confidence in 0rtt. I also don't think "another TRON" is > the answer here, as we'd not have the right people in the room > who'd know the consequences of replay for all instances of <foo>/TLS. TLS 1.3 1-RTT is just boring, unless you are trying to do something at least a bit screwy, like mix pure-PSK and client-auth. No such luck with 0-RTT. There is all sorts of cryptographic screwyness in there too (through getting rid of DH-0RTT should eliminate that). Also, it occurs to me that very few protocols are even nearly as vulernable to these kind of issues than HTTP, including cases where one end is speaking HTTP but the other is not... -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
