Well, not really, because LOTS AND LOTS of requests do things like "x += 1". Let's look at one ... suppose I call it https://myservice.me/x/add/1 . O.k. first problem: THIS IS AN ILLEGAL "GET" REQUEST AND THE HTTP POLICE ARE COMING TO MAKING ME USE "POST".
-
-
Last message in the thread: no 0-RTT is not some NSA backdoor (Dear HN: grow up), there are no intentional back doors in TLS1.3, and it is still overall AWESOME AND EXCITING and we'll be adding it to s2n ... VERY SOON. EOF.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Browsers generally don't support it yet, they may add knobs. I'm working on a 0-RTT badness detector for websites.
End of conversation
New conversation -
-
-
Here's my advice: Just don't use 0-RTT, ever. As a client, pretend it doesn't exist. Always perform stateless connection opening. Bonus: you get to skip implementing it, don't have to worry about that bug surface.
-
That's a "Security First, Performance Never" kind of position though. We can do both if we push for it! At the speed of light it's 130ms RTT between Madrid and Wellington. Why should it take 260ms just to say hello? That's very noticeable delay.
- 1 more reply
New conversation -
-
-
Isn't introducing 0-RTT anyway, even knowing it won't be secure when servers cut corners (which many will do), basically the same as openly sacrificing security in this "secure" protocol? Considering how widely used TLS1.3 will be, this seems clearly immoral and deceptive to me
-
Sacrificing security ... YES. Deceptive ... YES. Immoral ... YOU DECIDE. 0-RTT will save time and energy, at scale I'm sure it could even REDUCE GLOBAL WARMING (seriously). My preference was to ban STEKs and enforce Single-Use Tickets, but it wasn't to be.
- 2 more replies
New conversation -
-
-
Instead of the server "guaranteeing" this in some documentation (bleh), it seems this could be a quick client side /
@ssllabs replay unit test labeling the server with secure/safe or insecure/unsafe 0-RTT.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Are there ways you've already established to query the server and determine if they are or are not configured to delete used keys? That sure would be nice. Ain't nobody gonna be taking anyone's word for anything in today's world, you know. That was yesterday with the old folks.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
How exactly can I, a client, know this?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.