[immibis]

Running TLS over TLS is fine, or ssh over ssh, or ssh over TLS, or so on. Otherwise the bad guy would just put the TLS traffic they intercepted from you, through their own TLS tunnel and somehow acquire more information.

In the early days of SSL there were cross-protocol information leaks if you used the same key or related keys for different protocols or protocol versions. In the DROWN attack, I can get some ciphertext from you in TLS, then feed related ciphertexts back to you in SSLv2 (an ancient version) if you're using the same key for both and have both enabled. With enough tries - a practical number of tries, not 2^64 - I can find the decryption of that ciphertext, and then I can calculate the key for the TLS session I intercepted.

Well, I can't because I'm not a leading cryptographer, but some people can.

[0xDEAFBEAD]

This is a great point. If layering encryption really does introduce new attacks, that suggests encrypting single-layer ciphertext could allow you to perform that layered-ciphertext attack anyways. So I find myself skeptical of chowells' claim here.

Here's Wikipedia: https://en.wikipedia.org/wiki/Multiple_encryption

I'm no expert here, but if I understand Wikipedia correctly:

* Be sure to use distinct keys and IVs for each individual layer.

* Be aware that encrypting ciphertext could lead to a known-plaintext attack on the outer cipher, if the inner ciphertext starts in a standard way (file header etc.)

[bawolff]

One thing you do have to be careful about is layering hash functions, which generally does not work.