playback: a tls 1.3 story - black hat briefings · •adopt tls 1.3, but be aware could lead to a...
TRANSCRIPT
![Page 1: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/1.jpg)
Alfonso García Alguacil and Alejo Murillo Moya
Cisco
Playback: A TLS 1.3 Story
![Page 2: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/2.jpg)
Alejo Murillo Moya
Red Team Lead EMEAR
https://www.linkedin.com/in/alexismm2/
Alfonso García Alguacil
Senior Security Consultant
https://www.linkedin.com/in/alfonso-garcia-alguacil/
Who are we?
![Page 3: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/3.jpg)
• The Good
• KISS – Only 5 ciphers supported
•
•
•
Introducing TLS 1.3
![Page 4: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/4.jpg)
• The Good
•
• No vulnerable to known attacks against previous versions of TLS
•
•
Introducing TLS 1.3
![Page 5: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/5.jpg)
• The Good
•
•
• Welcome Forward Secrecy
•
Introducing TLS 1.3
![Page 6: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/6.jpg)
• The Good
•
•
•
• Formal security analysis performed to the protocol
Introducing TLS 1.3
![Page 7: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/7.jpg)
• The Bad
• Protocol tainted due to “compatibility issues”
Introducing TLS 1.3
![Page 8: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/8.jpg)
• The Ugly
• New protocol feature: 0-RTT
Introducing TLS 1.3
![Page 9: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/9.jpg)
0-RTT: Tough decisions
![Page 10: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/10.jpg)
“Your browsers…
Why should I care?
![Page 11: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/11.jpg)
… implementations …
Why should I care?
BoringSSL
![Page 12: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/12.jpg)
… and CDNs may be supporting TLS 1.3 with 0-RTT”
Why should I care?
![Page 13: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/13.jpg)
TLS 1.3 Handshake
![Page 14: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/14.jpg)
TLS 1.3 Handshake
![Page 15: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/15.jpg)
TLS 1.3 Handshake
![Page 16: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/16.jpg)
TLS 1.3 Handshake
![Page 17: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/17.jpg)
TLS 1.3 Handshake
![Page 18: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/18.jpg)
TLS 1.3 0-RTT
![Page 19: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/19.jpg)
TLS 1.3 0-RTT
![Page 20: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/20.jpg)
TLS 1.3 0-RTT
![Page 21: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/21.jpg)
TLS 1.3 0-RTT
![Page 22: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/22.jpg)
As you can see…
it may be possible to do REPLAY
REPLAY attacks!
REPLAY
REPLAY
REPLAY
![Page 23: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/23.jpg)
TLS 1.3 0-RTT replay attack
![Page 24: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/24.jpg)
TLS 1.3 0-RTT Replay
![Page 25: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/25.jpg)
TLS 1.3 0-RTT Replay
![Page 26: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/26.jpg)
TLS 1.3 0-RTT Replay
![Page 27: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/27.jpg)
TLS 1.3 0-RTT Replay
![Page 28: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/28.jpg)
TLS 1.3 0-RTT Replay
![Page 29: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/29.jpg)
Anti-replay protections
Single-Use Tickets
![Page 30: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/30.jpg)
Anti-replay protections
Single-Use Tickets
Client-Hello Recording
![Page 31: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/31.jpg)
Client-Hello Recording
Anti-replay protections
Single-Use Tickets
“Freshness” checks
![Page 32: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/32.jpg)
Client-Hello Recording
Anti-replay protections
Application profiles
Single-Use Tickets
“Freshness” checks
![Page 33: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/33.jpg)
Client-Hello Recording
Anti-replay protections
Application profiles
Single-Use Tickets
“Freshness” checks
Separate API
![Page 34: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/34.jpg)
Anti-replay protections and mitigations
![Page 35: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/35.jpg)
Anti-replay PROTECTIONS (Jul-2018)
Single-UseTickets
Client-HelloRecording
ApplicationProfile
Other protections
0-RTT not available
Different API for handling 0-RTT
0-RTT only on “safe” methods
0-RTT disabled. “safe” methods, no params
BoringSSL 0-RTT disabled by default
Partial(HTTP Header)
n/a
n/a
n/a
n/a
n/a
n/a
![Page 36: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/36.jpg)
• Vantage point in the network
•
•
Anatomy of an attack
![Page 37: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/37.jpg)
•
• Browser and server with TLS 1.3 and 0-RTT enabled
•
Anatomy of an attack
![Page 38: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/38.jpg)
•
•
• GET not being a “safe method” (a.k.a. RFC meets reality)
Anatomy of an attack
![Page 39: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/39.jpg)
• The browser decides when to send 0-RTT data, which reduces the window for attacks
The browser behaviour
![Page 40: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/40.jpg)
DEMO
![Page 41: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/41.jpg)
•
• Could it be possible to control when to send 0-RTT data?
Improving our attack
![Page 42: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/42.jpg)
•
• Could it be possible to control when to send 0-RTT data?
YES
Improving our attack
![Page 43: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/43.jpg)
Controlling the browser
![Page 44: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/44.jpg)
Controlling the browser
![Page 45: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/45.jpg)
Controlling the browser
![Page 46: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/46.jpg)
Controlling the browser
![Page 47: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/47.jpg)
DEMO
![Page 48: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/48.jpg)
Client-Hello Recording
Anti-replay protections
Application profiles
Single-Use Tickets
“Freshness” checks
Separate API
![Page 49: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/49.jpg)
• Imagine that somehow the TLS library and server actually perfectly prevent any replay attack on 0-RTT
Improving our attack
![Page 50: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/50.jpg)
•
• Could it be possible to do replay attacks?
Improving our attack
![Page 51: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/51.jpg)
•
• Could it be possible to do replay attacks?
YES
Improving our attack
![Page 52: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/52.jpg)
Universal replay attack
![Page 53: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/53.jpg)
Universal replay attack
![Page 54: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/54.jpg)
Universal replay attack
![Page 55: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/55.jpg)
Universal replay attack
![Page 56: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/56.jpg)
Universal replay attack
![Page 57: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/57.jpg)
Universal replay attack
![Page 58: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/58.jpg)
Universal replay attack
![Page 59: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/59.jpg)
Universal replay attack
![Page 60: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/60.jpg)
DEMO
![Page 61: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/61.jpg)
• 0-RTT creates a dependency between the application and the underlying TLS 1.3 protocol
• The application will need to be 0-RTT aware.
• Enabling 0-RTT could leave you application vulnerable to replay attacks
• Ultimately, the last line of defence would be the application itself.
Side effects of 0-RTT
![Page 62: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/62.jpg)
• Disable 0-RTT
• Ensure that your application does not allow replays (e.g. CSRF). Ensure that REST services are developed properly
• Create an strict application profile after careful analysis.
Mitigations
![Page 63: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/63.jpg)
• Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used.
• Your application needs to be 0-RTT aware to prevent side effects.
• You will need to take in account layers below your application, as its configuration may protect or expose you against replay attacks
Main takeaways
![Page 64: Playback: A TLS 1.3 Story - Black Hat Briefings · •Adopt TLS 1.3, but be aware could lead to a vulnerable application if 0-RTT is being used. •Your application needs to be 0-RTT](https://reader034.vdocuments.mx/reader034/viewer/2022042418/5f343a756173e87a5d4961ec/html5/thumbnails/64.jpg)
Thanks!