[anonymous-panda]

You’re misunderstanding the DOS attack I think. This is a DOS on the server itself and can prevent all other clients from connecting or the server from doing any useful work as its time is spent computing keys instead of anything useful. It doesn’t require any MITM proxy to be installed. Basically imagine a client could connect to a random Google server and take it down.

[dboreham]

Yes but this is nothing to do with cryptography per se. Most servers can be taken down by a client that finds some expensive operation it can get executed, then sends a bunch of same. The solution implies a generic per-client or per-request resource limit mechanism (which in my experience some systems have, but most do not). This is probably the only good thing about "serverless"/lambda type solutions.

[anonymous-panda]

Sure, but an expensive operation sitting as a time bomb within some TLS configs is more easily exploitable than having to find some service specific exploit.

[tptacek]

Will Google even do a straight FFDH TLS handshake? I tried with s_client and couldn't find a cipher string that would work (starting by taking the default and just chopping all the non-DH strings out).

[wolf550e]

Looks like google won't: https://www.ssllabs.com/ssltest/analyze.html?d=www.google.co...