ok, who finds the first 0-rtt-based vulnerability in a famous web app? https://blog.cloudflare.com/introducing-0-rtt/ …
-
-
Replying to @hanno
Also the blog post exaggerates cost without 0rtt: TCP fastopen lets you merge phase 2 and round-trip-1 of phase 3.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
My preference is to nuke all session resumption from orbit. Benefit is low, loss of security cost is huge.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
fastopen has massive DDoS implications (which we kinda care about
) and what do you mean by loss of security (in 1.3)?2 replies 0 retweets 0 likes -
Replying to @FiloSottile @hanno
With session resumption you don't have real ephemeral keys. I didn't mean new loss in 1.3, just existing vs no-resume.
1 reply 0 retweets 0 likes -
-
Replying to @FiloSottile @hanno
How? It seems fundamentally impossible but I'd love to see a solution if it works!
1 reply 0 retweets 0 likes -
Replying to @RichFelker @hanno
the 0-RTT piece (if any) is still decryptable with the STK (only), but everything after that is passed through ECDH
1 reply 0 retweets 0 likes
Ah, that makes sense. Awesome job expressing that in the constraints of a tweet.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.