aiortc
[Question] Stateless Reset Oracle Attack
Hi there, I am performing a research project to follow up some of the analysis done in "A Quic(k) Security Overview: A Literature Research on Implemented Security Recommendations"
According to their findings, the Stateless Reset Oracle defenses described in RFC 9000 21.11 has not been implemented in aiohttp.
I was hoping to:
- confirm that this isn't something the library handles
- check whether you would accept a PR defending against this attack
Thanks!
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@jlaine Can someone reply before this security question will be closed automatically?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I'm not sure I understand how this issue applies to aioquic which:
- Generates random stateless reset tokens
- Does not detect or act on stateless resets (this is an issue in itself)
