david wong

Hey! I'm David, a security consultant at Cryptography Services, the crypto team of NCC Group . This is my blog about cryptography and security and other related topics that I find interesting.

Facebook's TLS 1.3 library

posted last month

Facebook has released their TLS 1.3 library Fizz in open source. In their post they mention early data (0-RTT):

Using early data in TLS 1.3 has several caveats, however. An attacker can easily replay the data, causing it to be processed twice by the server. To mitigate this risk, we send only specific whitelisted requests as early data, and we’ve deployed a replay cache alongside our load balancers to detect and reject replayed data. Fizz provides simple APIs to be able to determine when transports are replay safe and can be used to send non-replay safe data.

My guess is that either all GET requests are considered safe, or only GET requests on the / route are considered safe. I'm wondering why they use a replay cache on the other side as this overhead could nullify the benefits of 0-RTT.

They also mention every state transitions being stored in one place, this is true:

FIZZ_DECLARE_EVENT_HANDLER(
    ClientTypes,
    StateEnum::Uninitialized,
    Event::Connect,
    StateEnum::ExpectingServerHello);

FIZZ_DECLARE_EVENT_HANDLER(
    ClientTypes,
    StateEnum::ExpectingServerHello,
    Event::HelloRetryRequest,
    StateEnum::ExpectingServerHello);

FIZZ_DECLARE_EVENT_HANDLER(
    ClientTypes,
    StateEnum::ExpectingServerHello,
    Event::ServerHello,
    StateEnum::ExpectingEncryptedExtensions);

I think this is a great idea, which more TLS libraries should emulate. I had started a whitelist of transitions for TLS 1.3 draft 18 here but it's probably outdated.

Well done! You've reached the end of my post. Now you can leave me a comment :)