Re: [TLS] Security review of TLS1.3 0-RTT

2017-06-04 Thread Yoav Nir
> On 5 Jun 2017, at 6:06, Bill Cox wrote: > > On Sun, Jun 4, 2017 at 4:08 PM, Benjamin Kaduk > wrote: > > Do we have a good example of why a non-safe HTTP request in 0-RTT would lose > specific properties required for

Re: [TLS] Security review of TLS1.3 0-RTT

2017-06-04 Thread Benjamin Kaduk
On 06/01/2017 03:50 PM, Victor Vasiliev wrote: > > To clarify, I am not suggesting that two streams would help. > I completely > agree with you that two streams is not going to mitigate the > DKG attack or > others. What I meant is that 0-RTT inherently

Re: [TLS] Security review of TLS1.3 0-RTT

2017-06-04 Thread Benjamin Kaduk
On 06/02/2017 04:49 PM, Victor Vasiliev wrote: > > 4. If implemented properly, both a single-use ticket and a >strike-register style mechanism make it possible to limit >the number of 0-RTT copies which are processed to 1 within >a given zone (where a zone is defined as

Re: [TLS] Security review of TLS1.3 0-RTT

2017-06-04 Thread Benjamin Kaduk
On 06/04/2017 02:08 PM, Bill Cox wrote: > My feeling is that when talking to stateless 0-RTT servers, browsers > should send only idempotent HTTP requests, and accept > less-than-perfect FS. I also feel they should avoid attempts at > client auth over 0-RTT. However, when talking to servers that

Re: [TLS] Encrypted SNI

2017-06-04 Thread Benjamin Kaduk
On 06/02/2017 08:28 AM, Toerless Eckert wrote: > Another candidate use case coming to mind eg: auditing tht is required in > many eg: financial > environments. In the past i have seen even the requirement for the whole data > streams to be unencrypted > for auditing. Maybe that market segment

Re: [TLS] Security review of TLS1.3 0-RTT

2017-06-04 Thread Colm MacCárthaigh
On Fri, Jun 2, 2017 at 2:25 PM, Eric Rescorla wrote: > > Sure. For the sake of clarify, I'm going to suggest we call: > > - replay == the attacker re-sends the data with no interaction > with the client > - retransmission == the client re-sends (possibly with some

Re: [TLS] Security review of TLS1.3 0-RTT

2017-06-04 Thread Bill Cox
On Fri, Jun 2, 2017 at 2:39 PM, Victor Vasiliev wrote: > > Now, imagine the following attack: > > a) Between (1) and (2), the attacker resets the TCP connection, after > the client got the response and the session ticket. > b) Since the client has the ticket, it