> On 1 Dec 2015, at 3:36 AM, Jacob Appelbaum <ja...@appelbaum.net> wrote: > > On 12/1/15, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: >> On Mon, Nov 30, 2015 at 10:34:27AM +0000, Peter Gutmann wrote: >> >>> Bryan A Ford <brynosau...@gmail.com> writes: >>> >>>> It would work just as well and in exactly the same way if the AEAD is >>>> replaced with the traditional Encrypt-then-MAC construction, for >>>> example. >>> >>> No it wouldn't, unless the encrypt part is a stream cipher. You're still >>> locked into using an AEAD stream cipher or the equivalent of an AEAD >>> stream >>> cipher built with encrypt+MAC. It won't work with, for example, the OCB >>> AEAD >>> mode, or CBC + MAC. >> >> I think we should focus on what would get TLS 1.3 to be adopted: >> >> * Reasonably implementable in libraries that support older >> versions alongside TLS 1.3. >> > > That doesn't change with Bryan's suggestion, I think. > >> * Interoperable in the field with various capital-intensive >> middle boxen. > > Which would those be? And what is the definition of capital-intensive > for those watching on the sidelines?
Firewall, IPS/IDS devices. Boxes that attempt to perform sanity-check on protocols to make sure that the stuff going over TCP port 443 is really HTTPS rather than an attempt at tunneling. There are some attacks such the the code that protects against them needs to follow TLS record sizes. For the most part these are not-so-interesting attacks, causing certain versions of certain browsers to hang, and they are expensive for the firewall to protect against, so for the most part these protections are turned off. But it’s not everywhere. If enough middleboxes block TLS 1.3, the browsers will implement a downgrade dance. If they do that, attackers will be able to exploit the downgrade dance. I don’t think the net effect is better security. We’d be far better off writing a separate document on how to use the padding feature that is already in 1.3 to mitigate traffic analysis without actually flooding your Internet connection. Splitting records and padding a few can be more effective than masking the length bits. Yoav _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls