Hi Matthias,
I don't think that's very practical. Put yourself into the shoes of a web
site owner; how would they go about adding support for some TLS extension?
Having a requirement like that would only frustrate them and turn them away
from SSL Labs.
I think a much better use of our energy and everyone's time would be to
focus on helping TLS 1.3 adoption, which addresses the issues you mentioned
and then some.
On Tue, Jul 4, 2017 at 8:06 PM, Matthias Terlinde <[email protected]>
wrote:
> Hi list,
> > Happy to discuss here, but you can also leave comments on the document
> > itself.
> Thanks for the invitation.
>
> In my eyes you should add some TLS extension into the context.
> For a A/A+ grading I recommend the "extended master secret extension" as
> defined in RFC5246 [1].
> In TLS 1.2 the master secret isn't cryptographically bound to the
> session parameters which enables man in the middle attacks on session
> resumption.
>
> Do you take the "encrypt-then-mac extension" [2] into account for
> authenticated encryption for the A grade?
>
> Another discussable extension is the "truncated_hmac extension" [3],
> which reduces the hmac to 80 bits. I didn't found any related research
> to hmac truncatoin and TLS.
> Do you have any hints, that this one is insecure to use?
>
> Have a nice evening,
> Matthias
>
> [1] https://tools.ietf.org/html/rfc7627
> [2] https://tools.ietf.org/html/rfc7366
> [3] http://www.iana.org/go/rfc6066
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> ssllabs-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ssllabs-discuss
>
--
Ivan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
ssllabs-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ssllabs-discuss
