Adam Langley <agl@xxxxxxxxxx> wrote: > On Fri, Jan 16, 2015 at 12:03 PM, Hanno Böck <hanno@xxxxxxxxx> wrote: >> Recently Mozilla has disabled the now so-called protocol dance, which >> makes adding another workaround (SCSV) pretty much obsolete: > > Until they add TLS 1.3 support, when they'll need it again. I don't think so, because we can change the way versions are negotiated for TLS 1.3, so that the issue doesn't arise. In particular, we can keep ClientHello.client_version as 0x0303 (TLS 1.2) and negotiate TLS 1.3 with an extension. Also, the rate of TLS 1.3 intolerance might be significantly lower than projected. Ivan's numbers are based on a ClientHello with 0x0304 (TLS 1.3) as the record-layer version number. We know from past experience working on NSS that 0x0301 (TLS 1.0) is a more compatible record-layer version number. I think it was established that many servers work fine when ClientHello.client_version = 0x0304 (TLS 1.3) as long as the record-layer version number is 0x0301 (TLS 1.0) but break when then record-layer vsion is 0x0304 (TLS 1.3). We'll need to measure this in a more definitive way, but there's reason to be optimistic. Cheers, Brian