On Thu, Dec 6, 2018 at 12:33 PM Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote:
> So it's conceivable that truly malicious servers would do this, of > course, but they might also just publish the master secret on twitter > too, and the client wouldn't know how to detect that inband either. But > for the misbehavior that we *can* detect in-band, a responsible client > should be aware of it and avoid it, right? > If nothing else, implementations which reuse ephemeral keys for long periods of time are buggy and contain a vulnerability which violates the security assumptions of the protocol. I think it's reasonable for clients to detect and reject this behavior, as it's an indicator TLS has been deployed in an insecure way and therefore the connection should be aborted. I think this could detect a wide range of "real world" TLS implementation failures which have come up in the past, including bugs in random number generation and bugs in the code in TLS stacks responsible for rotating ephemeral keys. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
