On Sat, Sep 10, 2016 at 08:43:33PM +1000, Martin Thomson wrote: > > I wouldn't say that this is a great argument, but it's one that could > be made. Generally, I've given up on TLS error codes being useful, or > even making them useful; we've been stung in the past by being overly > specific about what went wrong.
Well, regarding usefulness of TLS error codes, the error codes don't even come close to useful-for-debugging. This isn't because of information leaking (which AFAICT can only happen in very few places), but because error codes just are not expressive enough. Also, if you have a place where you worry about alerts leaking information to attacker, watch out, you might very well also have a timing attack. The places of TLS 1.3 that I can quickly name that are sensitive, and so one should take care to only send one kind of alert for each: - Deprotect failures (bad_record_mac) - MAC (finished) failures (decrypt_error) - key agreement failure (???, my code uses illegal_parameter[1]) - signature failures (internal_error) Also, note that with some bad cryptographic algorithms, one can't even let the other side know operation failed. So even just resetting the connection leaks too much information. [1] Logic being: It is likely provoked by peer sending invalid share -> invalid field value -> illegal_parameter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
