On Thu, Dec 29, 2016 at 11:08 AM, Eric Rescorla <[email protected]> wrote: >> >> As an individual, I'd be in favour of this change but reading >> >> over [1], section 5, I wondered if we'd analysed the effects of >> >> 0rtt/replayable-data with that kind of cross-domain re-use in mind? >> >> The situation being where session ID based caches or session ticket >> >> equivalents in tls1.3 are shared over multiple domains.
I think there is the following interaction: Given two servers, S1 and S2, which are nominally s1.example.com and s2.example.com, but which both have a *.example.com cert and share ticket keys: An attacker could redirect a 0-RTT handshake that was destined to S1 and feed it to S2. If S2 ignores the SNI value (common) it could accept and process the 0-RTT data even though it was destined for S1. However, in that case TLS 1.2 is probably also affected because S2 would likely process a 1.2 handshake that was destined to S1 as well. (Even without a shared ticket key or session cache.) See http://antoine.delignat-lavaud.fr/doc/www15.pdf for more. Cheers AGL _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
