On Thu, Sep 17, 2015 at 1:50 PM, Nico Williams <n...@cryptonector.com> wrote:
> On Wed, Sep 16, 2015 at 12:53:53PM -0700, Brian Smith wrote: > > Further, the alerting mechanism has encouraged the unsafe practice of > > "version fallback." It is clear from looking at the bug databases of > > Firefox and Chrome that their attempts to make security decisions based > on > > what alerts they received was bad for security. > > Do we think that silent connection closings wouldn't also lead to > version fallback? > Let's ask the browser vendors: Browser vendors, if web servers were to stop sending alerts during handshake failures, would you start doing version fallback when a connection is closed? Fatal alerts are quite handy for diagnostics on the client side, really. > I agree that they are often marginally useful. However, the risks associated with the alert mechanism outweigh those benefits. > I'd rather keep them than remove them, but I'd be OK with clients never > sending them. I'm OK with fata alerts being SHOULD send. I suggest that, at most, implementations SHOULD NOT send them. IMO it would be better to remove the alert mechanism altogether in TLS 1.3. Most people that are arguing for retaining the alert requirements seem to be concerned about alerts sent from the server to the client. Does anybody think it is important to require clients to ever send alerts other than close_notify? Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
