Re: [TLS] WGLC: draft-ietf-tls-session-hash

Stephen Checkoway <> Mon, 24 November 2014 11:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 431FA1A6EE6 for <>; Mon, 24 Nov 2014 03:58:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aHkiwQ0kUJPQ for <>; Mon, 24 Nov 2014 03:58:53 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C8EF41A6EE5 for <>; Mon, 24 Nov 2014 03:58:53 -0800 (PST)
Received: by with SMTP id k15so6081380qaq.24 for <>; Mon, 24 Nov 2014 03:58:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=unUXnrLb8sKjuH9n7qAos+R+lgG8niKlfR1EHSLjc8E=; b=AOABJJTvrUDpvWIhkawWSMumPNya657GU5EfmgDEl4x/4uW5ewiraTJ/BEQpATDaFH wLPqxjtx5AFsgSZu+htTjLz1XY55HQewU7pfS5xhZopWoBkc3peiCfQDcMVQhIe2v2Kv rCS/QzFkXh8FEnlyDpnEbeW2RZbzOP5nICSeWn3SVREoy+scblO6NgTBRNZCkN5Wo+wD 1mw1zXTi5yPxKMxD8M1r9IYUdnt0PYdgksgY1O03I28xWN4c788vja+ug8mAFIMhokq2 3f2ZXDYldWjcFyATiWw/UZk40/Qu2TPE5Z7+dR8Wrs6zEUwo7fpqHZPX2RajK06yjxKD 6jSA==
X-Gm-Message-State: ALoCoQkL0Wwdba0K2giBBZZtLPEE1JquN4l1noKdD2+qahjCV/yOrhe9TprpCY/wOQOFF4Ky796v
X-Received: by with SMTP id x9mr12913018qam.45.1416830333005; Mon, 24 Nov 2014 03:58:53 -0800 (PST)
Received: from ([]) by with ESMTPSA id b17sm9898069qah.35.2014. for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Nov 2014 03:58:51 -0800 (PST)
Received: from [] ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id ABE32AC2842; Mon, 24 Nov 2014 06:58:49 -0500 (EST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Stephen Checkoway <>
In-Reply-To: <>
Date: Mon, 24 Nov 2014 06:58:48 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Yoav Nir <>
X-Mailer: Apple Mail (2.1878.6)
Cc: " (" <>
Subject: Re: [TLS] WGLC: draft-ietf-tls-session-hash
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Nov 2014 11:58:55 -0000

On Nov 24, 2014, at 3:44 AM, Yoav Nir <> wrote:

> Third issue: Why can’t an attacker disable this protection by simply omitting the extension from both its ClientHello and ServerHello?  At least in the short term it won’t be practical to fail a handshake because the other side doesn’t support this extension. I guess the answer is that the ruse will work, but the other attacks mentioned in TRIPLE-HS will fail, but it’s not clear to me why. A can still proxy unchanged records from C to S if the connections are resumptions. Perhaps servers should be prohibited from resuming a session set up without this extension if the ClientHello does include the extension.

The draft currently says "Clients and servers SHOULD NOT resume sessions that do not use the extended master secret..." Are you saying you want that to be MUST NOT?

Stephen Checkoway