Hi, On Fri, 6 Oct 2017 13:16:37 -0700 Eric Rescorla <e...@rtfm.com> wrote:
> - Fall back to TLS 1.2 (as we have unfortunately done for previous > releases) Thinking about this I honestly hope nobody is considering this seriously. This would be an unfixable security design flaw. And it also quite significantly differs from previous fallbacks. There were workarounds in the past for version intolerance by using SCSV and early versions of 1.3 used some trick with the server random value. However that was for nonconformant servers that allowed conformant servers and clients to prevent downgrade attacks. Such workarounds won't work if we talk about middleboxes, because what's proposed here is to fallback to TLS 1.2 even if both the server and the client speak TLS 1.3. In other words: It's a proposal to make all security advantages of TLS 1.3 irrelevant, as we have a universal downgrade to 1.2. Given that this would also mean there's no visible incentive to fix things it would very likely mean keeping this broken workaround for many years to come. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
