Re: [TLS] Tickets and cross protocol attacks

It's probably better to reject this fallback when the client has chosen to > explicitly use a TLS 1.3 feature with 0-RTT in general. > > Subodh > > From: Martin Thomson [martin.thom...@gmail.com] > Sent: Tuesday, March 29, 2016 6:29 PM &

Re: [TLS] Tickets and cross protocol attacks

rom: Martin Thomson [martin.thom...@gmail.com] Sent: Tuesday, March 29, 2016 6:29 PM To: David Benjamin Cc: Subodh Iyengar; tls@ietf.org Subject: Re: [TLS] Tickets and cross protocol attacks On 30 March 2016 at 05:00, David Benjamin <david...@chromium.org> wrote: > On the server, OpenSSL

Re: [TLS] Tickets and cross protocol attacks

On 30 March 2016 at 05:00, David Benjamin wrote: > On the server, OpenSSL already includes the version in the SSL_SESSION > structure, and recent enough versions of it will not accept sessions at the > wrong version NSS too. This is the right thing, I think. I have no

Re: [TLS] Tickets and cross protocol attacks

On Tue, Mar 29, 2016 at 12:57 PM Subodh Iyengar wrote: > Recent attacks like SLOTH, DROWN, PCKS1.5 padding oracles have shown that > attacks on previous version of TLS can be used to attack new version of > TLS. > > One thing that is not mandated by TLS 1.3 is separation of

[TLS] Tickets and cross protocol attacks

Recent attacks like SLOTH, DROWN, PCKS1.5 padding oracles have shown that attacks on previous version of TLS can be used to attack new version of TLS. One thing that is not mandated by TLS 1.3 is separation of session tickets and session ids between TLS protocols. For example a client could use