On Fri, Jan 8, 2016 at 2:00 PM, Michael Sierchio <kudzu at tenebras.com> wrote: > 2^48. Which is larger than 248, which was a cut-and-paste error. ;-) Right.... The bad guy should *not* be able to compute a MAC to perform the forgery within TCP's 2MSL bound and TLS timers. However, there's a keep alive the authors used in the past to basically make their attack windows unbounded in time. From the earlier paper on Logjam (http://weakdh.org/imperfect-forward-secrecy-ccs15.pdf): TLS warning alerts. Web browsers tend to have shorter timeouts, but we can keep their connections alive by sending TLS warning alerts, which are ignored by the browser but reset the handshake timer. As far as I know, there's no interest in fixing it in the TLS working group. Jeff
