On Thu, May 4, 2017 at 8:18 PM, Watson Ladd <watsonbl...@gmail.com> wrote:
> >
> > It should be up to servers whether a request is allowed with 0-rtt.
>
> Which server? It's possible that the backhauls from the server the
> TLS connection is made to to the server actually responding to the
> request do not distinguish 0-RTT from other data. Opportunity for
> administrative bloopers is immense: even if the responding server
> rejects 0-RTT, the server proxying requests won't necessarily know
> that inline as it is reusing the connection.
>
+1
By the time the client has sent 0-RTT data the complexity mess
has already and it may be too late to avoid some of the potential
vulnerabilities.
Just as an example of a type of attack: attacker replays 0-RTT messages.
If the server accepts some (sends larger responses) and rejects others
(sends smaller
responses) than that tells you something about the messages
and the attacker you can tell which client requests might have been
replay-safe
and which ones were not.
Erik
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
