On Tue 2017-05-02 14:57:54 -0500, Nico Williams wrote: > Well, I did say that to me there's not much difference to _me_ between > "connections reusing the same ticket can be correlated to each other" > and "connections reusing the same ticket can be correlated to each other > and the connection whence the ticket". Others might disagree,
I disagree, Nico! :)
The difference here is between saying:
* clients that want the latency benefit of session resumption can be
careful to avoid ticket reuse and their connections will be
unlinkable to a network observer who records session IDs.
versus:
* clients that want the latency benefit of session resumption must
accept that a network observer can trivially know that each
connection is linkable to the previous one.
put another way: the difference between 0 required backlinks and 1
required backlink on each individual session resumption is the
difference (for a cautious yet session-resuming client) between 0
connections linked by a network observer and all connections linked by a
network observer.
TLS session linkability is relevant:
* When a client is behind a NAT and wants their connections to be mixed
with (indistinguishable from) other clients behind the same NAT, to
the perspective of a network observer outside the NAT.
* When a client moves network locations and doesn't want their network
position to be trackable by a network observer.
* When a client uses a VPN as an encrypted Internet proxy (or uses Tor
or some other similar IP-anonymizing service), and does not want a
network observer outside the VPN from being able to distinguish their
traffic from the traffic of other users of the anonymity network.
--dkg
signature.asc
Description: PGP signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
