.... except it costs the server money. It has to cache more keys, and it's not easy to distribute across wide geographic areas, and comes with its own distributed systems challenges. But guess what? THAT'S ALL THE TLS SERVER'S PROBLEM.
-
Show this thread
-
... no need to modify thousands of applications, no need to teach PHP and RubyOnRails developers the intricacies of idempotency edge cases. Nope, just one slightly costly change within the TLS1.3 servers. So that's my plan, and REJOICE again, because TLS1.3 can have secure 0-RTT
1 reply 0 retweets 27 likesShow this thread -
.... unless some TLS servers would cut corners, and just want the fast benchmarks, and you know .... deploy TLS1.3 0-RTT without built-in SAFETY mechanisms. That would be INSANE, I mean, why risk bugs and side-channels, right?
2 replies 4 retweets 31 likesShow this thread -
Oh right, no that's exactly what's happening. So here's my advice: if you see a server supporting 0-RTT and that server doesn't give you an iron-clad guarantee that when the key is used, it's deleted, and that your EARLY CONVERSATION can't be repeated ... don't use it.
6 replies 21 retweets 79 likesShow this thread -
Last message in the thread: no 0-RTT is not some NSA backdoor (Dear HN: grow up), there are no intentional back doors in TLS1.3, and it is still overall AWESOME AND EXCITING and we'll be adding it to s2n ... VERY SOON. EOF.
6 replies 6 retweets 89 likesShow this thread -
This Tweet is unavailable.
-
Once I saw DANE I lost interest, DNSSEC is train wreck awful. Do not use.
1 reply 0 retweets 1 like -
Replying to @colmmacc
Smug FUD mongering is fun, but harmful. You really should find a better pastime. Read RFC7435, and think about why good enough security is better than none. Ciao.
2 replies 0 retweets 0 likes -
Replying to @VDukhovni
No FUD! DNSSEC doesn't provide secrecy, anti-replay, or even anti-forgery in practice. If it /just/ did nothing it might be an ok experiment, but it also causes real outages due to complexity, and makes DDOSes worse. That makes it not a good idea.
1 reply 0 retweets 0 likes -
Replying to @colmmacc @VDukhovni
Now I'm falling into a DNSSEC hole. I agree on no secrecy and no anti-replay. Is it really not useful against anti-forgery? If not, why not? I don't see the issue other than some questionable key size/alg decisions which should get resolved over time. Am I missing something?
1 reply 0 retweets 0 likes
Absolutely! 1/ DNSSEC does *nothing* between your Browser/computer and your resolver. But that's the weakest link! 2/ For other links, junk crypto like RSA-512 with SHA1 is still common. I can break that on my watch.
-
-
Replying to @colmmacc @VDukhovni
But, short of a subset of bad implementers using small keys & bad algs, it is still regarded as strong against forgery between resolving-server and root+authoritatives, right?
1 reply 0 retweets 0 likes -
Replying to @mdhardeman @VDukhovni
No! An attacker can use a weak alg even if you don’t. As long as those algs are supported at all it’s not a subset problem, it’s an everything problem.
2 replies 0 retweets 0 likes - 26 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.