It's a privacy leak. -Ekr
On Mon, Oct 30, 2017 at 2:51 AM, Jānis Čoders <janis.cod...@gmail.com> wrote: > Thank you. Ok, I understand that some servers could not allow reuse of > cookie, but why is it FORBIDDEN by standard? It could be suggested to > not reuse in general cases, but if I wanted to use TLS 1.3 with my > custom server, which uses cookies to only prevent spoofing attacks (in > UDP (DTLS) case). And clients know that they can reuse previous > cookies for fast handshake, then why would it be prohibited? > > On 30 October 2017 at 11:31, Martin Thomson <martin.thom...@gmail.com> > wrote: > > What is most likely to happen is that the cookie will be invalid and > > the connection will be rejected. > > > > Many TLS servers assume that presence of a cookie means that they > > previously sent a HelloRetryRequest on that connection. For instance, > > NSS packs a hash of the original ClientHello into the cookie so that > > it can restore the handshake transcript. Reusing the cookie will just > > lead to the server restoring the handshake transcript from the wrong > > handshake. And that's even assuming that it accepts the cookie in the > > first place. > > > > On Mon, Oct 30, 2017 at 6:07 PM, Jānis Čoders <janis.cod...@gmail.com> > wrote: > >> Hi, is there ANY security issue with reusing Cookie from previous TLS > >> connection? In current draft there is text: "Clients MUST NOT use > >> cookies in their initial ClientHello in subsequent connections." I > >> can't think of any security implication, but can think of situations > >> where it could be useful. > >> > >> -- > >> Ar cieņu, > >> Jānis Čoders > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > > -- > Ar cieņu, > Jānis Čoders > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
