On Fri, May 1, 2026 at 4:41 PM Eric Rescorla <[email protected]> wrote:
> On Fri, May 1, 2026 at 1:34 PM Jan Schaumann <jschauma= > [email protected]> wrote: > >> Eric Rescorla <[email protected]> wrote: >> >> > If you have access to the traffic keys you certainly can mount >> > a MITM attack, but you can also just take over the connection >> > and impersonate the server entirely >> >> How does an adversary only able to compromise the >> key-exchange for a specific session impersonate the >> server for any traffic outside of this session? >> > > It doesn't. Sorry, what I meant was that there's no need to > send traffic to the server at all once you compute the traffic > keys. In other words, you act as an endpoint rather than > being "in the middle". > It does extend a little beyond the connection. The attacker has learned every secret established during the handshake. Not only can they impersonate the server over this connection, they also know the resumption secrets for all issued tickets and can impersonate the server when that client reconnects with the ticket. They can also keep on issuing more tickets over any of these connections and try to extend their attack on this client. (Also an attacker with a CRQC that can break one instance of some classical algorithm presumably can run the attack again on other instances.) They also know the exporter secret, which the application may be depending on for whatever. David
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
