On Mon, May 22, 2017 at 10:46 AM, Christian Huitema <huit...@huitema.net> wrote > > Check DKG's analysis of 0-RTT for DNS over TLS: https://www.ietf.org/mail- > archive/web/dns-privacy/current/msg01276.html. There is only one point of > concern, a minor privacy leak if the DNS queries in the 0-RTT data can be > replayed at intervals chosen by the attacker. The idea is to replay the > data to a resolver, and then observe the queries going out to authoritative > servers in clear text. The correlation can be used to find out what domain > the client was attempting to resolve. The attack requires "chosen time" by > the attacker, and thus will probably be mitigated by a caching system that > prevents replays after a short interval. >
I have a reply to that too, linked at the bottom: there's actually a more trivial side-channel (due to non-idempotence) that hadn't been considered in the original analysis. I've yet to find /any/ example application where 0-RTT replay would actually be side-channel free. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
