IETF Logo Mail Archive

Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety

Martin Thomson <martin.thomson@gmail.com> Mon, 28 March 2016 23:53 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33CEF12D0CF for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 16:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQiJg6FZEHu9 for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 16:53:52 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76FF2127058 for <tls@ietf.org>; Mon, 28 Mar 2016 16:53:52 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id g185so2967050ioa.2 for <tls@ietf.org>; Mon, 28 Mar 2016 16:53:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=n8Ky81c0XUTzy87x/T+myq2/ptS+hT8HFNbqc1sSl+g=; b=nISAz/GgZRN6xnYuw5etpXJJtZVss+b5wSAxASFDTyPWdfBorW0w7Xk0fKO34jm2G2 WPuoZ4Iejoan7R9r8QULheaS5rr/LLRAum5kL5lCTi3VeMFRJShKGgVHn0GxTf0DPx+c PQtx8gmkWJ7T75WUEwGFKr+Qi3075mMJ9u2x4VdPzvjCC4g/UbRRVV5K9PCI35ecqe+c 87rSFwJ5smZ1wizsO4nb6nIsbi4hbD8XA6hupkFZb0sMbGtUFi1jZ7DN6T28V4tEuShs GHfZykalhAThocXj7HR/Ed+bPcn7eon3vz4fzwGRuQXz1L/luEVzzqQhi0j6xvakPKQL 2/ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=n8Ky81c0XUTzy87x/T+myq2/ptS+hT8HFNbqc1sSl+g=; b=k+uV0BqhyL7HhwVjLgvZcimRPpWwzt2OJPXkQZro4v4qBFlZ7o+ImGOnlwp2EhrOID t3xUYQgOo0CjtbGFlbNvyOVw4UxWYv/ux8QjB4l5rR6R7eFM7ntOiNNjz8qXZYuoFdHp DdsXC1Q/HuJpvYyISaWKckoPOxPcjPWtXQfnbIhjr8A3aT96qAcMV7mMV6WVdPfaPI/d zeDytnTQb7nYIseR8QuUBIhym2iskF55J1HH/5ycH+qbLa/XCZTVnF5RBE8dgBA28KuN 7VkBNQYTTkSSLXLxCcjNk3kFY/sHZdKtmP3cyqbFlIHgEAV4Kb7SjPn6U5+jiBa6Bexo k52g==
X-Gm-Message-State: AD7BkJJsVfS+/lI5tMFkLJ7CNLSU+8mA1i+CKRhQ1HkA9wu4qETBVS5PYKJuIvCoPVJxIZbfBkuBhgMCh9XldA==
MIME-Version: 1.0
X-Received: by 10.107.161.140 with SMTP id k134mr12210635ioe.190.1459209231889; Mon, 28 Mar 2016 16:53:51 -0700 (PDT)
Received: by 10.36.43.142 with HTTP; Mon, 28 Mar 2016 16:53:51 -0700 (PDT)
In-Reply-To: <r470Ps-10114i-5AC104EF3FD2444C920BFB79296F6D1D@Williams-MacBook-Pro.local>
References: <CAAF6GDeLshxG0o2_a9vPBTMtNHLNf9tynJaPPnAm2ZrAca19iw@mail.gmail.com> <r470Ps-10114i-5AC104EF3FD2444C920BFB79296F6D1D@Williams-MacBook-Pro.local>
Date: Tue, 29 Mar 2016 10:53:51 +1100
Message-ID: <CABkgnnVN_U1JemNwRXiNtbcysuMekHWSK=CjUz++EwTqb2oWGw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Bill Frantz <frantz@pwpconsult.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/oNDl_khPYummRXC0_RKvoDlaaDU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 23:53:54 -0000

On 29 March 2016 at 08:04, Bill Frantz <frantz@pwpconsult.com> wrote:
>> surely there are very sensitive things in urls,
>
>
> A number of URLs include an authorization token which authorizes access to a
> resource. This token is frequently a long "unguessable" number. It must be
> kept secret. I think DropBox URLs are one example.

The risk to the secrecy of that sort of data is limited.

The primary risk is in the traffic analysis that might be performed as
a result of replaying.

v2.23.0 | Report a Bug | By Email