On Sat, May 6, 2017 at 8:22 AM, Salz, Rich <rs...@akamai.com> wrote: > > What about when **part** of a request is in the 0RTT part, and the rest > of it isn’t? I believe this will happen often for H2 initial setup. > Imagine the “fun” when initial connection data, such as login cookies, is > replayed in other contexts and eventually decrypted? >
I asked this question a while back, and didn't get a satisfying answer: if an on-path attacker replaces the early data with a replay from an earlier connection, does the server eventually figure this out once the handshake is complete, or is this mix-and-match impossible for the server to detect? It would be nice if a security property of early data is that a replay attack is eventually detected, because at least then you'll know you're under attack. Kyle
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
