On May 4, 2017, at 19:35, Watson Ladd <watsonbl...@gmail.com> wrote: > > Dear all, > > Applications have always had to deal with the occasional replay, > whether from an impatient user or a broken connection at exactly the > wrong time. But they've generally been rare, so human-in-the-loop > responses work. Order the same book twice? Just return one of them, > and if you get an overdraft fee, ouch, we're sorry, but nothing we can > do.
Very few applications have been designed with deliberate malicious “intelligent” interference in mind. Probably none among those that delegate their communications security to a “security protocol” such as TLS or IPsec. After all, a big selling point of using (somebody else’s) security protocol/implementation is that the security responsibilities are “outsourced” to that other layer/entity/<you got the idea>. Haven’t you heard this: “I don’t know how to secure my pipe, and I don’t have to - I use TLS for that”. So far the consequences have been rather mild, not much worse than what Watson showed as examples to illustrate his point. But it is changing, and not for the better. Summary: it is not good to deliberately ignore malicious replays.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
