On Thu, 3 Dec 2015 18:45:14 -0500 Watson Ladd <watsonbl...@gmail.com> wrote:
> On Tue, Dec 1, 2015 at 3:02 PM, Hanno Böck <ha...@hboeck.de> wrote: > > So as long as you make sure you implement all the proper > > countermeasures against that you should be fine. (Granted: This is > > tricky, as has been shown by previous results, even the OpenSSL > > implementation was lacking proper countermeasures not that long ago, > > but it's not impossible) > > Can you describe the complete set of required countermeasures, and > prove they work comprehensively? What if the code is running on shared > hosting, where much better timing attacks are possible? What's > shocking is that this has been going on for well over a decade: the > right solution is to use robust key exchanges, and yet despite knowing > that this is possible, we've decided to throw patch onto patch on top > of a fundamentally broken idea. There is no fix for PKCS 1.5 > encryption, just dirty hacks rooted in accidents of TLS. No disagreement here. The thing is, we have a bunch of difficult options to choose from: * Fully deprecate RSA key exchange. The compatibility costs of this one are high. They are even higher considering the fact that chrome wants to deprecate dhe and use rsa as their fallback for hosts not doing ecdhe. ecdhe implementations weren't widespred until quite recently. A lot of patent foo has e.g. stopped some linux distros from shipping it. * Separate keys for TLS 1.3 and TLS <= 1.2. Complicated. Certificates are already too complicated for many people. Do we really want to add more complexity by having different certs for different TLS versions? * Make sure proper countermeasures are implemented. Also difficult. I just learned nss is not bleichenbacher-timing-safe. Sounds like three bad options to me. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpzxAyzgCxz6.pgp
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
