The libp2p-noise specification states the following related to early data (payloads):
These payloads MUST be inserted into the first message of the handshake pattern that guarantees secrecy.
In practice, this means that the initiator must not send a payload in their first message.
Instead, the initiator will send its payload in message 3 (closing message),
whereas the responder will send theirs in message 2 (their only message)
According to Noise XX security properties, the second message with payload provides forward
secrecy, however, the sender has not authenticated the responder, so this payload might be sent to any
party, including an active attacker. So an active attacker can just establish a connection with the
responder host and get the early data.
The libp2p-noise specification states the following related to early data (payloads):
According to Noise XX security properties, the second message with payload provides forward secrecy, however, the sender has not authenticated the responder, so this payload might be sent to any party, including an active attacker. So an active attacker can just establish a connection with the responder host and get the early data.
So, this MR just clarifies this moment.