David Schinazi
@davidschinazi.com
Leading IP Privacy efforts at Google. OG MASQUE Enthusiast. Opinions my own. he/him. 🇫🇷➡️🇺🇸. I fight for the users.
Yeah I think we incorrectly assumed that GMAC offers preimage resistance when the key is known. You’re right, that text is wrong. Luckily it doesn’t impact the protocol guarantees, since QUIC isn’t resilient to active attackers causing handshakes to fail
November 24, 2025 at 7:07 PM
Yeah I think we incorrectly assumed that GMAC offers preimage resistance when the key is known. You’re right, that text is wrong. Luckily it doesn’t impact the protocol guarantees, since QUIC isn’t resilient to active attackers causing handshakes to fail
This is a low-value target. Prior to that spec change, retries were trivially forgeable. The intent here was to make that harder while minimizing computational requirements. Retries are sent when a server is under load so they need to be incredibly cheap to generate
November 24, 2025 at 5:05 PM
This is a low-value target. Prior to that spec change, retries were trivially forgeable. The intent here was to make that harder while minimizing computational requirements. Retries are sent when a server is under load so they need to be incredibly cheap to generate