New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cache timing warning #1225
Comments
This isn't strictly specific to 0-RTT. A network attacker can already direct the client's connection to any one cache node and then observe side effects. The main thing enabled by replayability is trying the attack multiple times (up to allowed ticket_age skew) for more reliable signal. |
True, and worth clarifying. A really strong network attacker could even prevent all other access to that cache node, likely giving them several minutes to enumerate different resources, looking for the one the user requested before it expires. |
I guess, conversely, a weak network attacker that can see the traffic, but not interfere with it, might not be able to redirect the client's connection, but 0-RTT would enable them to replay it elsewhere. |
This attack is often possible even without a timing channel due to application-layer behaviors that allow cache probing (e.g. in HTTP and DNS). This change addresses the original concern in tlswg#1225. A more thorough revamp of the anti-replay and side channel recommendations might be needed to address all the questions raised there.
We're looking at incremental change here. @davidben do you have anything you want to add? |
I think past-me was just noting this isn't really 0-RTT-specific. If a user's request has side effects you can observe later, you inherently can observe them. And if those side effects are more interesting if you target a particular server instance you use, a network attacker can always direct you traffic there. From what I can see, what's specific to 0-RTT is just:
Not sure what implications this has on text. Perhaps something like...
|
Ben Schwartz writes:
The text was updated successfully, but these errors were encountered: