ok, who finds the first 0-rtt-based vulnerability in a famous web app? https://blog.cloudflare.com/introducing-0-rtt/ …
My preference is to nuke all session resumption from orbit. Benefit is low, loss of security cost is huge.
-
-
fastopen has massive DDoS implications (which we kinda care about
) and what do you mean by loss of security (in 1.3)? -
With session resumption you don't have real ephemeral keys. I didn't mean new loss in 1.3, just existing vs no-resume.
-
1.3 fixes that fully :)
-
How? It seems fundamentally impossible but I'd love to see a solution if it works!
-
the 0-RTT piece (if any) is still decryptable with the STK (only), but everything after that is passed through ECDH
-
Ah, that makes sense. Awesome job expressing that in the constraints of a tweet.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.