[Cryptography] WireGuard
John-Mark Gurney
jmg at funkthat.com
Mon Sep 3 14:37:21 EDT 2018
Peter Gutmann wrote this message on Mon, Sep 03, 2018 at 14:48 +0000:
> John-Mark Gurney <jmg at funkthat.com> writes:
>
> >The issues w/ TLS is that previous versions did not integrate all protocol
> >messages into the key agreement, and that the client would have to "self
> >downgrade" to allow broken servers to negotiate a functional channel...
>
> This was actually fixed with the (somewhat misnamed) Extended Master Secret,
> EMS. Admittedly you can still try and roll that back and it'll be detected,
> but later on in the handshake process.
Only if you have a client and/or server that requires it. You cannot
have a client that requires it of all servers, and you cannot have a
server that requires it of all clients if you need to support older
clients...
This means that the client has to know which servers support it and
enforce it, meaning that it cannot be deployed on standard websites
for years...
So, yes, TLS CAN be made to be in some cases, but the protocol as
currently deployed cannot be... If this or a similar mechanism had
been included in TLS 1.2, the world would be in a much better place
today.
Is there an HTTP header like HSTS to require it on future negotiations?
It'd be interesting to have a required since X date on HSTS and other
headers like it. If the web browser eventually gets that, but notices
that you've visited the site before w/o receiving the header, warn the
user that their pass communications have been compromised.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list