This sounds a bit like 0-RTT is a burning tirefire https://github.com/tlswg/tls13-spec/issues/1001 … should probably dig into it in detail.
Just to pick some examples: how could you protect an origin that throttles requests at an unknown rate from throttle exhaustion?
-
-
Or an application cache from timing leaks? Also, 0-RTT is hostname-level, will users really check all possible urls for strict idempotency?
-
I found those ideas clever. But post-auth throttling for idempotent req. is not that common IMHO, and traffic analysis prob. > cache timing.
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.