On 7/11/2017 1:31 PM, Stephen Farrell wrote: > PS: There are also genuine performance reasons why the same > DH public might be re-used in some cases, so there would be > false positives in a survey to consider as well.
Well, yes. The classic argument is performance. Saving the cost of exponentiation, computing G^X once for many session instead of once per session. But you reap most of the benefits of that optimization with a fairly small number of repetitions. Performance alone is not a good reason to use the key over extended period, not to share the exact same key between all servers in a farm. The fact is that wide reuse of the same (EC)DH private key does compromise the security of TLS -- including an obvious issue with forward secrecy. I get your argument that this can turn into a cat and mouse game. Clients detect a bad behavior, misbehaving servers adapt by tweaking the behavior to avoid detection, clients get smarter, etc. On the other hand, documenting the attack clearly marks this key reuse as not desirable and not supported. The public statement provides an argument to developers to "just say no" when asked to add the wiretap "feature". Detection by clients also provides a clear signal to enterprises that they should really find another way to solve their problem. In any case, I just submitted PR #1049 (https://github.com/tlswg/tls13-spec/pull/1049). -- Christian Huitema
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
