On Fri, 09 Oct 2015 12:48:38 -0000, Karthikeyan Bhargavan <[email protected]> wrote:

- We note that RSA ciphersuites already provide a version downgrade mitigation, although it has itself caused many headaches due to bleichenbacher attacks. But if a server implements good side-channel resistance to bleichenbacher attacks, TLS 1.3 can be protected from downgrades to both RSA and (EC)DHE ciphersuites in
  older protocol versions.

For reference, the version field in the TLS premaster secret is not checked by many servers, IIRC some of them have large market shares.

--
Sincerely,
Yngve N. Pettersen

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to