My colleagues and AWS Cryptography engineers, Shay and Nir, found an interesting gap in some of the TLS1.3 security proofs: https://eprint.iacr.org/2019/347 Thankfully it's very low severity, and impacts only external PSK mode, which is very rarely used. Doesn't impact resumption.
-
Show this thread
-
The issue is that PSK mode doesn't authenticate an identity, so messages can be rerouted between recipients that have the same PSK. In a way that's obvious, like sharing certs on servers, but there's a less thought-of case too where a message can be reflected back to the sender.
1 reply 1 retweet 4 likesShow this thread -
PSK = Pre Shared Key. Which is when you configure TLS clients and servers to trust each other based on a (long) shared password. The issue doesn't come up at all if you use SNI or combine PSK with regular certs.
1 reply 1 retweet 4 likesShow this thread
I mentioned resumption. because in TLS1.3 session resumption uses the underlying PSK mode. The issue doesn't come up in that case because the PSKs used for resumption mode are exclusively pair-wise. TLS1.3 is still in the best shape we know of any TLS version.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.