Encrypted SNI can’t work against active attackers: on 1.3 failure, browsers will fallback to 1.2 which leaks it before downgrade is detected
-
-
Replying to @FiloSottile
@FiloSottile Assuming they do fallback. If the TLS 1.3 ClientHello is changed, the need for fallback can be eliminated, probably.2 replies 0 retweets 1 like -
Replying to @BRIAN_____
@BRIAN_____ some stupid firewalls and middleboxes will drop 1.3 CH, forcing fallback2 replies 0 retweets 0 likes -
Replying to @FiloSottile
@FiloSottile Easily fixable by making ClientHello.client_version be 0x0303 again like 1.2. I agree encrypted SNI seems to have limits.1 reply 0 retweets 1 like -
Replying to @BRIAN_____
@BRIAN_____ however the CH looks like I don't understand how a 1.2/1.3 client can avoid falling back to plain SNI /cc@sleevi_@grittygrease1 reply 0 retweets 0 likes -
Replying to @FiloSottile
@FiloSottile@sleevi_@grittygrease Yes, that's what I meant about "I agree encrypted SNI seems to have limits."1 reply 0 retweets 0 likes -
-
Replying to @FiloSottile
@FiloSottile It would prb be reasonable to have fallback from TLS 1.3 ClientHello w/ encrypted SNI to TLS 1.3 ClientHello w/ plaintext SNI.1 reply 0 retweets 0 likes
@FiloSottile But, I don't want the only way to do things compatibility to be TLS 1.3 w/ encrypted SNI -> TLS 1.2.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.