On Tue, Mar 13, 2018 at 3:16 PM, Russ Housley <hous...@vigilsec.com> wrote: > Second, using > TLS1.2 does not technically address the issue. If the client were to > exclusively offer DHE-based ciphersuites, then the visibility techniques > that have been used in the past are thwarted.
I expect this configuration to become more common in the future. In November 2017, US NIST published draft SP 800-52 r2 (https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/draft ) which explicitly disallows all non-DH cipher suites. The comment period closed on 1 Feb 2018, and none of the published comments pushed back on this. Given that PCI DSS and many other standards refer to the NIST Special Publications for implementation requirements, I would not be surprised to see DH-only (including ECDH/ECDHE/DHE) become prevalent. Based on the comments from the proponents of the various drafts, it would seem that this should be a bigger concern than any changes in TLS 1.3, as it is implementable today. I highly suspect that the currently deployed systems will not handle handshakes that only offer DH suites, right? Thanks, Peter _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls