[rurban]

So it looks like that this seasons NSA/GHCQ backdoor is 0-RTT, and will be implemented into the commercial variants, whilst the open source variants will turn it off by default. Or use it like Cloudflare, in HTTPS without GET params only.

[geofft]

Can you explain how 0-RTT might be used as a back door?

(... edit, actually, I recognize this username from previous nonsensical discussions about crypto and backdoors: https://news.ycombinator.com/item?id=13364173 )

[rurban]

Thanksfully those folks easily expose themselves. Calling the Siphash security theatre senseless explains it also.

[arghwhat]

The trick about "backdoors" is that it is hidden. 0-RTT has very explicit guarantees about what it can and cannot do. By its very nature, and as written in the spec, it allows for a replay attack (which is in many cases entirely harmless, but is a concern regardless).

The rest of your comment is less sensible than the first. Everyone will implement it, and it's up to the user to decide whether they feel that they need the feature and know that their application is unaffected by replay attacks.

[azinman2]

You make it sound like NSA/GCHQ somehow secretly put in a weakness into a IETF standard that’s gone through many public drafts...

[thriftwy]

That's roughly the line of their job, as we have all learned the hard way a few years back.

[azinman2]

So they’re hardly the only intelligence agencies in the world, so I don’t get why they’re specifically being pointed out unless you have some direct evidence.

As far as I’m aware, 0rtt started with Google’s QUIC. It’s since gone through a ton of academic and industry debate, particularly at the IETF level. It’s something optional to turn on, comes with notes on limitations and weaknesses, and major supporting vendors like Cloudflare have giant blog posts about how it can be used in only limited ways. How is this an intelligence crafted backdoor?

[tialaramex]

If you were going to point fingers (probably unfairly) at people whose agenda seems compatible with agencies that don't like BCP#188 (the IETF policy document "Pervasive Monitoring Is an Attack") then the best candidates would be those asking for the "transparency" features, some of which claimed at different times to represent data centre operators, financial institutions, and IoT manufacturers.

None of that made it into this draft, indeed the Monday meeting (this link is about the Wednesday meeting although practically speaking I think this was a done deal by Monday) of the TLS working group at IETF 101 basically killed all those plans, at least in so far as they impact TLS 1.3 itself. The IETF operates on "rough consensus" and there wasn't any way forward on "transparency" (aka snooping) that had consensus, so it was either publish this or stall forever.