On Sat, May 06, 2017 at 09:43:55AM -0400, Kyle Rose wrote: > On Sat, May 6, 2017 at 8:22 AM, Salz, Rich <rs...@akamai.com> wrote: > > > > > What about when **part** of a request is in the 0RTT part, and the rest > > of it isn’t? I believe this will happen often for H2 initial setup. > > Imagine the “fun” when initial connection data, such as login cookies, is > > replayed in other contexts and eventually decrypted? > > > > I asked this question a while back, and didn't get a satisfying answer: if > an on-path attacker replaces the early data with a replay from an earlier > connection, does the server eventually figure this out once the handshake > is complete, or is this mix-and-match impossible for the server to detect? > It would be nice if a security property of early data is that a replay > attack is eventually detected, because at least then you'll know you're > under attack.
Trying to replace the early data leads to fatal handshake error if the server accepts 0-RTT (since actual deprotection failure from 0-RTT data is fatal). If server rejects, then the substitution is silently ignored. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
