|
|
|
|
|
|
by colmmacc
3186 days ago
|
|
|
TLS 1.3 still has problems with STEKs. If you use STEKs with 0-RTT mode, then you lose forward secrecy and that's where the most sensitive data is likely to be: your request, password, credit card number, etc ... 0-RTT doesn't have to use STEKs, there's a better way to do it, but TLS1.3 won't enforce or require it (though it could), so it'll be up to the marketplace of ideas and security standards to sort it out. |
|
|
0-RTT trades performance at the expense of security properties inside the same tunable protocol, which is the sort of wishy-washy stuff I (and others) were hopeful we'd get away from, the same way PFS ciphersuites went from obscure to preferred overnight, the same way cleartext HTTP has been marginalized, the same way broken ciphersuites were aggressively blacklisted and underused ciphersuites were pruned.
[1] https://tools.ietf.org/html/draft-ietf-httpbis-replay-00