Re: [TLS] Encryption of TLS 1.3 content type (Martin Rex) Mon, 28 July 2014 14:41 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BB3B61A0385 for <>; Mon, 28 Jul 2014 07:41:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.252
X-Spam-Status: No, score=-6.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Onfc3w8CZjKY for <>; Mon, 28 Jul 2014 07:41:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E7A941A0292 for <>; Mon, 28 Jul 2014 07:41:11 -0700 (PDT)
Received: from by (26) with ESMTP id s6SEdo9s021163 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 28 Jul 2014 16:39:50 +0200 (MEST)
In-Reply-To: <>
To: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <>
Date: Mon, 28 Jul 2014 16:39:50 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="ISO-8859-1"
Message-Id: <>
From: (Martin Rex)
X-SAP: out
Cc: "<>" <>
Subject: Re: [TLS] Encryption of TLS 1.3 content type
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Jul 2014 14:41:13 -0000

I also object to the removal of the ContentInfo from the outer
TLS record protocol.  I'm not aware of the slightest rationale for
this severe backwards incompatibility, that will not just break
middle-boxes, but also applications that parse TLS records for the
purpose of non-blocking operation.

Colm MacCárthaigh wrote:
> Leaking alert messages has been a recurring theme common to several
> attacks; hindering a MITM's ability to discern alert messages seems
> like a rational rationale.

Which attacks do you have in mind?  I'm actually not aware of any.

The Bleichenbacher PKCS#1 decryption oracle happened during the
cleartext phase (so this doesn't apply here), and while the
CBC guessing happened in the encrypted phase, the attacker was
in posession of the decryption key, could properly decrypt the
alert, and use it to distinguish decryption failure from mac failure

So in both situations, content hiding would not have had the slightest
impact on these attacks.