v2.2.20 release candidate released
Gedalya
gedalya at gedalya.net
Tue Dec 8 17:24:39 UTC 2015
On 12/06/2015 07:19 AM, Gerhard Wiesinger wrote:
> Session tickets are broken by DESIGN as they violate PFS (Perfect
> Forward Secrecy). If you can steal one AES key (all session tickets
> are encrypted for server lifetime with only one key) you can decrypt
> ALL sessions ever made with session tickets for the future.
I'm in no way an expert or an authority, but it is my understanding that
there being only one key for the server's lifetime is not exactly by
design, rather (sloppy) implementation. See [0] as an example of at
least a discussion on key rotation or even smooth rollover.
Perhaps in a perfect world, those who don't find a session cache
suitable could instead use a better implementation of session tickets.
Until of course someone takes security shaming to the next level and
declares session tickets unconditionally evil. Notably, Qualys isn't
doing that yet. Even Google is currently otherwise engaged.
Superficially speaking, both approaches sound like a matter of securing
server memory space and rotating things out frequently.
[0] http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004373.html
More information about the dovecot
mailing list