This sounds a bit like 0-RTT is a burning tirefire https://github.com/tlswg/tls13-spec/issues/1001 … should probably dig into it in detail.
Common example: every time you get a visit a news site as a non-subscriber. They decrement a page view from your "free" quota.
-
-
Browsers retries not that interesting, could lock out one user. With 0-RTT replays, could lock out all users. New kind of DOS attack.
-
But think higher-level: better to be humble and assume risk is greater than we can conceive than to look for excuses to keep something iffy
- 2 more replies
New conversation -
-
-
Ah, nice one. But news sites commonly use plain HTTP, and we don't see anyone mounting replay attacks. Only unconvinced by practicality.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.