On Thu, Dec 29, 2016 at 02:45:53PM -0800, Adam Langley wrote: > On Thu, Dec 29, 2016 at 11:08 AM, Eric Rescorla <[email protected]> wrote: > >> >> As an individual, I'd be in favour of this change but reading > >> >> over [1], section 5, I wondered if we'd analysed the effects of > >> >> 0rtt/replayable-data with that kind of cross-domain re-use in mind? > >> >> The situation being where session ID based caches or session ticket > >> >> equivalents in tls1.3 are shared over multiple domains. > > I think there is the following interaction: > > Given two servers, S1 and S2, which are nominally s1.example.com and > s2.example.com, but which both have a *.example.com cert and share > ticket keys: > > An attacker could redirect a 0-RTT handshake that was destined to S1 > and feed it to S2. If S2 ignores the SNI value (common) it could > accept and process the 0-RTT data even though it was destined for S1.
Sounds like standard-issue default-vhost attack (which are sadly common security issues in https://). > However, in that case TLS 1.2 is probably also affected because S2 > would likely process a 1.2 handshake that was destined to S1 as well. > (Even without a shared ticket key or session cache.) See > http://antoine.delignat-lavaud.fr/doc/www15.pdf for more. You mean redirecting full handshake meant for s1.example.com to s2.example.com? Or redirecting a TLS 1.2 resumption handshake? Also, wonder how many servers don't check for SNI when resuming... -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
