|
|
|
|
|
|
by tialaramex
2146 days ago
|
|
|
In TLS 1.2 a client is vulnerable if a session ticket is issued, regardless of whether it was ever used. The ticket contains enough information to decrypt everything from your session if an adversary knows or subsequently learns the STEK to decrypt the ticket. In TLS 1.3 it matters whether you use the ticket, if you just discard tickets they can't hurt you, if you use the ticket while an on-path adversary knows the STEK they could MITM you. As a result in TLS 1.2 it matters whether the TLS client implementation reports willingness to accept tickets, not on whether you've written code to actually ever use the resulting tickets. If your library says "Sure, send me a ticket" then in TLS 1.2 the only thing protecting your session is the STEK inside the server, if that leaks or isn't actually random you lose regardless of what you do with the tickets including throwing them away. |
|
|