Since unknown ciphersuites seem to be much better handled (i.e. are ignored), I wonder if keeping the header version at 1.2 while extending the ciphersuites with more that indicate 1.3-like behaviour would be better for backwards compatibility. For example,
TLS 1.3 will sign all messages before server authentication, even though it makes Transcript Collision Attacks somewhat easier to mount.
...there could be a ciphersuite which tells the server to do this.
> As soon as the spec is finished, and often far before that feat is done, clients will have been equipped with support for the new TLS protocol version
Very optimistic view on situation with client browsers. In the real world we still have users with Win XP and IE. Or Android 2.x (and we can't blame users, because vendors don't provide new firmware).
I think he meant some clients, as in, "there will be some out there". I don't think we'll _ever_ see a day when all clients use current (or even recent) versions of TLS.
8 comments
[ 4.1 ms ] story [ 37.2 ms ] threadTLS 1.3 will sign all messages before server authentication, even though it makes Transcript Collision Attacks somewhat easier to mount.
...there could be a ciphersuite which tells the server to do this.
But someday we'll want to turn off the 1.2 handshake, so better that we deal with some of the version intolerance now.
[0]: https://lwn.net/SubscriberLink/701956/4dc5a506c0a6fd82/
Very optimistic view on situation with client browsers. In the real world we still have users with Win XP and IE. Or Android 2.x (and we can't blame users, because vendors don't provide new firmware).