Yoav Nir wrote:
>
> On 3 Nov 2016, at 16:31, Martin Rex <[email protected]> wrote:
>>
>> Since then, I've seen exactly ZERO rationale why the cleartext contenttype,
>> which has existed through SSLv3->TLSv1.2 would be a problem. With the
>> removal of renegotiation from TLSv1.3, it is even less of a problem to
>> keep the contenttype in the clear.
>
> Here?s some to get this to somewhat >0:
>
> Most TLS 1.2 connections will have a few handshake records,
> followed by a couple of CCS records followed by a whole bunch of
> application records, followed possibly by a single Alert.
>
> You only see more handshake records in two cases:
> 1. The client decided to re-negotiate. That is exceedingly rare.
> 2. The server decided a renegotiation is needed
> so it sent a HelloRequest followed by a handshake.
>
> With visible content type, you can tell these two flows apart.
(a) so what? for those interested, one can tell such flows appart
pretty reliably by traffic analysis. So there is exactly ZERO
protection against bad guys, while breaking the good guys.
(b) but TLSv1.2 remains unchanged, and this flow does not seem to
exist in TLSv1.3, since renegotiation no longer exists in TLSv1.3.
-- so why would we need a backwards-incompatible change in a
protocol that protects something that no longer exists,
but which severely breaks existing middleware, making it
impossible to drop-in replace a TLSv1.2 implementation with
a TLSv1.3 implementation that has this backwards-incompatibility.
-Martin
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
