On Wed, Nov 23, 2016 at 10:44 PM, Christian Huitema <huit...@huitema.net> wrote:
> On Wednesday, November 23, 2016 7:20 PM, Colm MacCárthaigh wrote: > > > > Prior to TLS1.3, replay is not possible, so the risks are new, but the > end-to-end designers > > may not realize to update their threat model and just what is required. > I'd like to spell > > that out more than what's where at present. > > Uh? Replay was always possible, at the application level. Someone might > for example click twice on the same URL, opening two tabs, closing one at > random. And that's without counting on deliberate mischief. > Much more than browsers use TLS, and also more than HTTP. There are many web service APIs that rely on TLS for anti-replay, and do not simple retry requests. Transaction and commit protocols for example will usually have unique IDs for each attempt. But even if this were not the case, there are other material differences that are still relevant even to browsers. Firstly, an attacker can replay 0-RTT data at a vastly higher rate than they could ever cause a browser to do anything. Second, they can replay 0-RTT data to arbitrary nodes beyond what the browser may select. Together these open new attacks, like the third example I provided. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls