On Wed, May 3, 2017 at 3:56 PM, Martin Thomson <[email protected]> wrote: > On 3 May 2017 at 22:45, Colm MacCárthaigh <[email protected]> wrote: >> This is easy to say; the TLS layer is the right place. It is not practical >> for applications to defend themselves, especially from timing attacks. > > If you care about these attacks as much as it appears, then you can't > reasonably take this position. We've historically done a lot to > secure applications at a single point, and we're almost at the end of > what we can reasonably do for them at this layer. We need to think > more hollistically and acknowledge that applications need to take some > responsibility for their own security.
Historically TLS protected against replay attacks. Now it doesn't. An application that relies on this property which TLS used to guarantee is now broken. Clearly we could have provided it, we just chose not to. > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
