Re: [TLS] Fwd: New Version Notification for draft-thomson-http-replay-00.txt

On Wed, Jun 28, 2017 at 02:02:33PM -0500, Benjamin Kaduk wrote:
> On 06/26/2017 12:44 PM, Martin Thomson wrote:
> > Thanks for your thoughts Ben,
> >
> > On 26 June 2017 at 08:32, Benjamin Kaduk <> wrote:
> >
> >> In section 2, I'm not sure that we need to mention the TLS-native
> >> strateg(ies) (item 4).
> > I think that it's important to mention, if only because a lot of the
> > other defenses rely on that point you made earlier about reducing the
> > potential billions down to something more manageable.  It's especially
> > relevant when you are worrying about leakage through side-channels.
> Well, I hope that TLS ends up mandating something that is not the
> potential billions, in which case it's less of an issue here. Of course,
> if TLS does not make such a mandate, we could still do so here ...

Well, the stuff to ensure that you don't get billions (or millions) of
replays is only SHOULD in the current proposal at TLS WG...

> >> (Token binding is one thing that comes to mind, as the
> >> requests would need to be regenerated with the proper bindings;
> > Ahh, 0-RTT token binding is a horror.  This is why generally the
> > "start over" thing is important.  I think that the best way to
> Yes.  I don't have any suggested text right now that would emphasize
> this more, but there may be room for improvement in this area.

I think tokbind mandates strict global anti-replay for 0-RTT token
binding. Because there would be an attack otherwise.


Received on Wednesday, 28 June 2017 20:01:04 UTC