[tptacek]

I mean, TLS 1.1 isn't a good thing, but which <TLS1.3 bugs actually would have impacted Tarsnap? SMACK, maybe? Probably not POODLE, given the ciphersuites you'd have locked down to. Not BERserk (you'd never use NSS). The TLS BB'98 attacks didn't hit any library you'd actually use. No Triple Handshake, since you wouldn't do renegotiation. No BREACH, TIME or CRIME (they don't fit Tarsnap anyways). No RC4 (lol). No Lucky13, for the same reason as no POODLE. No BEAST, because you don't do Javascript. And now we're back to 2007 (or pre-2007) for attacks on TLS.

[cperciva]

It's possible that I could have taken TLS 1.1 and removed all the broken parts, sure. I mean, that's pretty much what TLS 1.3 is.

But frankly I trust my ability -- both now and in 2007 -- to use standard cryptographic algorithms to build a new protocol far more than I trust my ability to remove all the crap from TLS 1.1.

(Did you deliberately not mention heartbleed?)

[tptacek]

Heartbleed isn't a TLS vulnerability any more than an overflow in GnuTLS is.

The threshold question is, "could this vulnerability be reasonably expected to recur in independent implementations of the protocol?"

As for stripping back TLS 1.1 --- it wouldn't take much more than simply picking a single ciphersuite and requiring TLS 1.1. You wouldn't need to know, for instance, about export ciphers.

[cperciva]

That seems like the wrong question. My options were "write my own protocol" or "use openSSL" -- writing my own TLS stack was never on the table.

[tptacek]

Right, I get that, but you could have done the two config things I just mentioned with OpenSSL.

I get why you didn't use OpenSSL. The normal thing for someone like you to do in 2022 would be to use Noise.

[alipitch]

What are real world implementations of the Noise Protocol? https://github.com/noiseprotocol/noise_spec/blob/v34/noise.m...

Quick search shows WireGuard protocol, but I am not sure if how much of the WireGuard protocol is the same as the Noise Protocol.

https://www.wireguard.com/formal-verification/ https://www.wireguard.com/papers/wireguard-formal-verificati...

  The WireGuard protocol is extensively detailed in [2], which itself is based on the NoiseIK [3] handshake.

[alipitch]

I found a page by Duo Labs listing Noise in Production.

https://duo.com/labs/tech-notes/noise-protocol-framework-int...

  Noise is used today in several high-profile projects:
    WhatsApp uses the "Noise Pipes" construction from the specification to perform encryption of client-server communications
    WireGuard, a modern VPN, uses the Noise IK pattern to establish encrypted channels between clients
    Slack's Nebula project, an overlay networking tool, uses Noise
    The Lightning Network uses Noise
    I2P uses Noise

[tptacek]

There's a bunch of them, but part of the point of Noise is to be extremely prescriptive in order to simplify implementation. WireGuard is based on Noise, but has a lot more than just Noise in it.