Hence the question, how short can the delay of the TLS 1.3 freshness check be?
-- Christian Huitema _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
Some context. I am working on DNS over QUIC
(https://datatracker.ietf.org/doc/draft-ietf-dprive-dnsoquic/). From a
performance point of view, using QUIC and 0-RTT is pretty compelling.
The 0-RTT packets can only carry DNS queries, which do not change the
long term state of the DNS servers. However, the queries do change the
state of the server cache. Attackers might be able to assess the state
of the cache by replaying 0-RTT packets, possibly finding out what
encrypted queries the packets contained. These attacks can be mitigated
somewhat by using the TLS 1.3 freshness check, so that 0-RTT packets can
only be replayed for a short time after being sent by the client. The
shorter the time, the stronger the mitigation.
