On Mon, Mar 14, 2016 at 1:47 PM, Ryan Hamilton <[email protected]> wrote:
> On Mon, Mar 14, 2016 at 12:25 PM, Salz, Rich <[email protected]> wrote: > >> > It's worth keeping in mind this recent paper about Replay attacks >> against HTTPS. TL;DR: Attackers can already force a browser to replay >> requests basically at will. As a result, it's not clear that 0-RTT replay >> makes this situation worse. >> >> TLS is more than just browsers, which is what started this thread I think >> > > I was responding to a comment about HTTP, though :> I agree that the > implications of 0-RTT for other applications will be different. > HTTP is much more than browsers; there's a lot of non-browser APIs built on top of it (aka web services and micro services). Across many vendors, these APIs are commonly not replay safe; or they are safe within the confines a small number of retries, but not a large unbounded number. -- Colm
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
