On Fri, May 1, 2026 at 1:48 PM David Benjamin <[email protected]> wrote:
> On Fri, May 1, 2026 at 4:41 PM Eric Rescorla <[email protected]> wrote: > >> On Fri, May 1, 2026 at 1:34 PM Jan Schaumann <jschauma= >> [email protected]> wrote: >> >>> Eric Rescorla <[email protected]> wrote: >>> >>> > If you have access to the traffic keys you certainly can mount >>> > a MITM attack, but you can also just take over the connection >>> > and impersonate the server entirely >>> >>> How does an adversary only able to compromise the >>> key-exchange for a specific session impersonate the >>> server for any traffic outside of this session? >>> >> >> It doesn't. Sorry, what I meant was that there's no need to >> send traffic to the server at all once you compute the traffic >> keys. In other words, you act as an endpoint rather than >> being "in the middle". >> > > It does extend a little beyond the connection. The attacker has learned > every secret established during the handshake. Not only can they > impersonate the server over this connection, they also know the resumption > secrets for all issued tickets and can impersonate the server when that > client reconnects with the ticket. They can also keep on issuing more > tickets over any of these connections and try to extend their attack on > this client. (Also an attacker with a CRQC that can break one instance of > some classical algorithm presumably can run the attack again on other > instances.) > > They also know the exporter secret, which the application may be depending > on for whatever. > I agree with these statements. Jan used the word "session" which I decided to read them in informally, even though it's not really as much of a concept in TLS 1.3, but it's good to be precise. While we're on the topic, it *also* lets them collect things like cookies and passwords, which would also allow client impersonation in many cases. -Ekr >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
