What makes a conversation safe? Well it has to be IDEMPOTENT. What does that mean? It means if you hear an order twice, that's safe, you only do it once. "Let x = 1" is idempotent. "x += 1" is not. O.k. easy, right?
-
-
Oh right, no that's exactly what's happening. So here's my advice: if you see a server supporting 0-RTT and that server doesn't give you an iron-clad guarantee that when the key is used, it's deleted, and that your EARLY CONVERSATION can't be repeated ... don't use it.
Show this thread -
Last message in the thread: no 0-RTT is not some NSA backdoor (Dear HN: grow up), there are no intentional back doors in TLS1.3, and it is still overall AWESOME AND EXCITING and we'll be adding it to s2n ... VERY SOON. EOF.
Show this thread
End of conversation
New conversation -
-
-
And in making that even possible within the confines of TLS 1.3, the TLS 1.3 authors have probably invented a new class of eventual exploits aimed at an opportunity created by another new perverse incentive from performance boost of non-compliant server implementation.
-
I haven't encountered anyone in the process who doubts that there will be 0-RTT related security issues. The disagreement tends to be about whether the risks are low and the trade-off is worth it.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.