On Tue, Oct 17, 2023 at 12:32 PM David Benjamin <david...@chromium.org>
wrote:

>
> > Server-side protection against [clients adjusting HRR predictions on
> fallback] is not effective. Especially when we have both servers that
> cannot handle large ClientHello messages and servers that have buggy HRR.
>
> I think the discussion about buggy HRR is a red herring.
>

I agree with almost everything in the email except for this part. It's even
worse than HRR, isn't it? The initial ClientHello will fail if spread
across too many packets on some implementations, and then a new ClientHello
will be sent using X25519 unless you want to lose customers. The client
won't get an HRR back on the first try, the stuff just breaks (it's their
bug, but it must be dealt with). But, if the DNS says it should work, it
should be ok to fail there. The trustworthiness of this hint must also be
weighed with ECH. So, if you're using SVCB with this idea and ECH, it seems
pretty reasonable to me.

thanks,
Rob
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to