On Tue, Oct 10, 2023 at 1:24 PM Bas Westerbaan <b...@cloudflare.com> wrote:
> OK, I see. It's worse than a compatibility risk, though, isn't it? If you >> just let them break in case (a), and then maybe try again with (b), that >> opens up a downgrade attack. Intermediaries can observe the size of the >> Client Hello and make it break >> > > Exactly. > Yup! The draft fixes that downgrade, should any clients take such an (a) + (b) fallback strategy. I would very much prefer not needing such a strategy (so Chrome's current rollout attempt simply does (a)), since such fallbacks have other bad consequences. But if we can at least make it secure, that gives us a bit more breathing room in case anyone needs it.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
