Skip to content

Instantly share code, notes, and snippets.

tialaramex

Block or report user

Report or block tialaramex

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@tialaramex
tialaramex / gist:7c78e677fd58ebde4dea9296ddea17d2
Last active Jul 19, 2019
About TLS 1.3 encrypting the Certificate Message
View gist:7c78e677fd58ebde4dea9296ddea17d2
I've seen more than one "security researcher" arguing basically along the following lines:
1. Prior to TLS 1.3 the Certificate message was plaintext. (True)
2. So a middlebox could see this message without participating (Fine so far)
3. The middlebox could use the contents of this message to reason about the connection (Hmm?)
4. But in TLS 1.3 only SNI is visible not Certificate, and we can't trust that (Oh dear)
Here's the problem: Certificate is largely useless on its own
Certificate is just one or more concatenated X.509 certificates. Those are public documents.
You can’t perform that action at this time.