
TLS version intolerance - zerognowl
https://timtaubert.de/blog/2016/09/tls-version-intolerance/
======
nprescott
I hadn't quite realized the simplicity of the POODLE attack previously. There
was an article covering similar ground in LWN recently[0].

[0]:
[https://lwn.net/SubscriberLink/701956/4dc5a506c0a6fd82/](https://lwn.net/SubscriberLink/701956/4dc5a506c0a6fd82/)

------
userbinator
Since unknown ciphersuites seem to be much better handled (i.e. are ignored),
I wonder if keeping the header version at 1.2 while extending the ciphersuites
with more that indicate 1.3-like behaviour would be better for backwards
compatibility. For example,

 _TLS 1.3 will sign all messages before server authentication, even though it
makes Transcript Collision Attacks somewhat easier to mount._

...there could be a ciphersuite which tells the server to do this.

~~~
brians
Could be!

But someday we'll want to turn off the 1.2 handshake, so better that we deal
with some of the version intolerance now.

------
citrin_ru
> As soon as the spec is finished, and often far before that feat is done,
> clients will have been equipped with support for the new TLS protocol
> version

Very optimistic view on situation with client browsers. In the real world we
still have users with Win XP and IE. Or Android 2.x (and we can't blame users,
because vendors don't provide new firmware).

~~~
clifanatic
I think he meant some clients, as in, "there will be some out there". I don't
think we'll _ever_ see a day when all clients use current (or even recent)
versions of TLS.

------
rawstar11
What csm you used to make this blog?

------
tho9Ohx1eo
Offtopic: Nice and clean blog interface. Anyone knows if this is self-made or
it is a platform of some kind?

~~~
ttaubert
Thanks! The "design" is mine, and I still use Octopress because I haven't
found the time to switch to something fancier.

