On Sat, Mar 12, 2016 at 12:45 PM, Karthikeyan Bhargavan <karthik.bharga...@gmail.com> wrote: > Hi Kyle, > > In my talk at TRON, I was also concerned by potential attacks from allowing > unlimited replay of 0-RTT data. I recommended that TLS 1.3 servers should > implement replay protection using a cache, but requiring clients to provide > a timestamp in the client random is a great idea. Perhaps this would also > allow TLS 1.3 servers to detect clients whose clocks are too out-of-sync > with
Be careful here. The whole point of 0-RTT is to start consuming data before its authenticated to save a few milliseconds in network time. All those parameters are controlled by the attacker. We never worried about the extra roundtrip using satellite comms with 0.5 to 1.0 second delays. Additionally, most of my delays in fetching web pages seems to be delays in Google APIs and servings third party ads. 0-RTT seems to be a solution looking for a problem. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
