On 12/30/2016 06:44 AM, Ilari Liusvaara wrote: > On Thu, Dec 29, 2016 at 02:45:53PM -0800, Adam Langley wrote: >> >> An attacker could redirect a 0-RTT handshake that was destined to S1 >> and feed it to S2. If S2 ignores the SNI value (common) it could >> accept and process the 0-RTT data even though it was destined for S1. > Sounds like standard-issue default-vhost attack (which are sadly > common security issues in https://). >
Somehow, I feel like adding text in the 1.3 spec that servers should not do this is not really going to help anyone. >> However, in that case TLS 1.2 is probably also affected because S2 >> would likely process a 1.2 handshake that was destined to S1 as well. >> (Even without a shared ticket key or session cache.) See >> http://antoine.delignat-lavaud.fr/doc/www15.pdf for more. > You mean redirecting full handshake meant for s1.example.com to > s2.example.com? Or redirecting a TLS 1.2 resumption handshake? Naively, if s1 and s2 share cert and private key, and ignore the SNI, it seems like redirecting a full handshake would work. But I didn't think about it very hard. > Also, wonder how many servers don't check for SNI when resuming... > Me, too. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
