I’d rather not deal with this whole mess. -- Regards, Uri
On 7/11/2017, 16:56, "TLS on behalf of Christian Huitema" <tls-boun...@ietf.org
on behalf of huit...@huitema.net> wrote:
On 7/11/2017 1:31 PM, Stephen Farrell wrote:
> PS: There are also genuine performance reasons why the same
> DH public might be re-used in some cases, so there would be
> false positives in a survey to consider as well.
Well, yes. The classic argument is performance. Saving the cost of
exponentiation, computing G^X once for many session instead of once per
session. But you reap most of the benefits of that optimization with a
fairly small number of repetitions. Performance alone is not a good
reason to use the key over extended period, not to share the exact same
key between all servers in a farm. The fact is that wide reuse of the
same (EC)DH private key does compromise the security of TLS -- including
an obvious issue with forward secrecy.
I get your argument that this can turn into a cat and mouse game.
Clients detect a bad behavior, misbehaving servers adapt by tweaking the
behavior to avoid detection, clients get smarter, etc. On the other
hand, documenting the attack clearly marks this key reuse as not
desirable and not supported. The public statement provides an argument
to developers to "just say no" when asked to add the wiretap "feature".
Detection by clients also provides a clear signal to enterprises that
they should really find another way to solve their problem.
In any case, I just submitted PR #1049
(https://github.com/tlswg/tls13-spec/pull/1049).
--
Christian Huitema
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
