Facebook's TLS 1.3 library
Facebook has released their TLS 1.3 library Fizz in open source. In their post they mention early data (0-RTT):
Using early data in TLS 1.3 has several caveats, however. An attacker can easily replay the data, causing it to be processed twice by the server. To mitigate this risk, we send only specific whitelisted requests as early data, and we’ve deployed a replay cache alongside our load balancers to detect and reject replayed data. Fizz provides simple APIs to be able to determine when transports are replay safe and can be used to send non-replay safe data.
My guess is that either all GET requests are considered safe, or only GET requests on the / route are considered safe.
I’m wondering why they use a replay cache on the other side as this overhead could nullify the benefits of 0-RTT.
They also mention every state transitions being stored in one place, this is true:
FIZZ_DECLARE_EVENT_HANDLER(
ClientTypes,
StateEnum::Uninitialized,
Event::Connect,
StateEnum::ExpectingServerHello);
FIZZ_DECLARE_EVENT_HANDLER(
ClientTypes,
StateEnum::ExpectingServerHello,
Event::HelloRetryRequest,
StateEnum::ExpectingServerHello);
FIZZ_DECLARE_EVENT_HANDLER(
ClientTypes,
StateEnum::ExpectingServerHello,
Event::ServerHello,
StateEnum::ExpectingEncryptedExtensions);
I think this is a great idea, which more TLS libraries should emulate. I had started a whitelist of transitions for TLS 1.3 draft 18 here but it’s probably outdated.