- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Fri, 4 Aug 2017 11:07:12 +0300
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Kazuho Oku <kazuhooku@gmail.com>, Victor Vasiliev <vasilvv@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Aug 04, 2017 at 05:58:28PM +1000, Martin Thomson wrote: > On 4 August 2017 at 17:43, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > > However, that there should not be 0-RTT strike registers at HTTP level > > does not imply that there should not be HTTP-level request strike > > registers, but those strike registers need to span both 0-RTT and 1-RTT > > in order to combat retries, not just replays. > > I share this view. TLS does what it can to prevent replay, but the > ultimate defense (if you ever want to handle 0-RTT, or ever really) is > to have anti-replay/de-duplication at the level of the request. Given how eager browsers are to retry requests (and some UI gotchas that cause duplicate requests), one already needs to have request-level deduplication if the application is meant to be accessed from browsers. -Ilari
Received on Friday, 4 August 2017 08:07:39 UTC