On Thursday, 12 December 2019 16:50:45 CET, David Benjamin wrote:
On Thu, Dec 12, 2019 at 6:51 AM Hubert Kario <hka...@redhat.com> wrote:
On Wednesday, 11 December 2019 18:06:19 CET, David Benjamin wrote: ...
... some TLS stacks don't
support renegotiation as a server at all (BoringSSL and Go).
... Chrome does not accept it ...
so because Google decided one thing, everybody has to bow down to it?
and, sorry, but I consider the privacy angle a red herring, nobody is doing
proper AppData padding, so the connections leak privacy information in TLS
1.3
like a sieve too
An endpoint MAY use renegotiation to provide confidentiality protection
for client credentials offered in the handshake
An HTTP/2 client speaks as soon as the handshake completes and does not know
whether the server is going to do this.
if privacy was so important why nobody worked on it with HTTP/2? It's not
like
much has changed in the last 4 years on that front.
sorry, I'm not buying that argument
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
