Skip to content
This repository has been archived by the owner on Jun 17, 2024. It is now read-only.

miTLS API may confuse developers to write software which may be vulnerable to replay attacks #187

Open
oweisse-msft opened this issue Aug 11, 2017 · 1 comment
Open

miTLS API may confuse developers to write software which may be vulnerable to replay attacks #187

oweisse-msft opened this issue Aug 11, 2017 · 1 comment
Assignees
@fournet

Comments

@oweisse-msft
Copy link

oweisse-msft commented Aug 11, 2017
edited
Loading

In miTLS, when resuming a session with a session ticket, the client simply call FFI_mitls_send, and the data may be sent over 0RTT. The server, calling FFI_mitls_receive will receive the data, without having any indication that the data is "early data" and is NOT replay protected. This can confuse developers and eventually cause software using miTLS to be vulnerable to replay attacks.

In comparison, OpenSSL have a complete separation of 0RTT data than the normal stream. They have

  • SSL_read_early_data
  • SSL_write_early_data

which allows the application to know which data is replay protected and which is not.
@BarryBo
Copy link

BarryBo commented Jun 1, 2018

Let's think more about this as we tidy up the TLS interface.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@fournet fournet

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fournet @BarryBo @oweisse-msft