|
|
|
|
|
|
by tialaramex
2999 days ago
|
|
|
In TLS up to 1.2 straight RSA is an option. TLS 1.3 requires DH so it has this simpler flow. You are correct that with DH we already don't need RSA encryption, but did you make sure to remove straight RSA support from all your servers? Yes the specification says, and means, transcript. Signing the entire communications transcript means a MitM can't touch anything. Example, if a client optimistically wants to use VeryVerySecure feature and we are a MitM who wants to prevent that, we might think to fake a message from the server saying "No, I don't understand VeryVerySecure - do WeakAntique instead". In TLS 1.3 this extra message will be in the client's transcript, so a transcript signature from the server without any mention of VeryVerySecure fails and our MitM attack with it. |
|
|
Indeed, although straight RSA encryption fell out of favor some time ago. I see your original point now. Cheers.