Everyone who followed our ROBOT recommendations is safe from this (disable RSA key exchange)https://twitter.com/eyalr0/status/1068520428824481792 …
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Eyal made an interesting suggestion too: use a different key for non-FS cipher-suites. May be worth some experimentation for environments that have to support plain RSA KX.
had a private chat with him about this already, my though is it's unlikely to happen due to complexity and lack of software support.
There are many ways to mitigate. But point of the paper is that 20 years later we still struggle to mitigate against these leaks. Its just too hard
by the way key separation was already proposed in this paper https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf … by @tibor_jager etc. We hadn't mentioned it in ROBOT because imho deprecation is the cleaner and also more likely solution given the low usage and complexity that key separation would mean.
We also discussed this at the TLS 1.3 workshop in San Diego in 2016. Key separation with enc/sign only certs requires clients to check this and warn or abort if necessary. Back then browser devs were not willing to do this, they were afraid of losing users.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.