@igrigorik qq: what do modern browsers do with `ticket_lifetime_hint`? Should http://istlsfastyet.com take it into an account?
@sleevi_ @davidben__ @igrigorik @SaveTheRbtz "I'll throw away the master secret for this session after X and/or I'd like you to do so."
-
-
@BRIAN_____@davidben__@igrigorik@SaveTheRbtz Right, but that's like asking the client "Please set the evil bit if you have malware" -
@sleevi_@davidben__@igrigorik@SaveTheRbtz No. It's good to throw away secrets when they're only useful to attackers, not you. -
@BRIAN_____@davidben__@igrigorik@SaveTheRbtz Under what threat model does it provide value? Only client compromise -
@sleevi_@BRIAN_____@davidben__ if you compromise client, you should be able to decrypt previously captured traffic up to "lifetime" secs. -
@SaveTheRbtz If you compromise client to the point you have cross-process memory access, you have far worse problems. That's the point. -
@sleevi_ agreed. Broken PFS would probably be the least important thing at that point.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.