Playback: a TLS 1.3 story

Conference:  Defcon 26



The presentation discusses the security risks of using 0-RTT in TLS 1.3 and proposes various mitigations to prevent replay attacks.
  • 0-RTT in TLS 1.3 can lead to replay attacks by attackers replacing original messages
  • Single-use tickets and client hello recording are two proposed mitigations against replay attacks
  • Application profiles can define which functionality should be exposed over 0-RTT
  • Other mitigations include freshness checks, pollard rotations, and disabling 0-RTT altogether
  • Various companies have implemented different mitigations to prevent replay attacks
The presentation demonstrates how an attacker can potentially replay a request using 0-RTT and perform multiple money transfers. The use of single-use tickets and client hello recording can prevent such attacks.


TLS 1.3 is the new secure communication protocol that should be already with us. One of its new features is 0-RTT (Zero Round Trip Time Resumption) that could potentially allow replay attacks. This is a known issue acknowledged by the TLS 1.3 specification, as the protocol does not provide replay protections for 0-RTT data, but proposed countermeasures that would need to be implemented on other layers, not at the protocol level. Therefore, the applications deployed with TLS 1.3 support could end up exposed to replay attacks depending on the implementation of those protections. This talk will describe the technical details regarding the TLS 1.3 0-RTT feature and its associated risks. It will include Proof of Concepts (PoC) showing real-world replay attacks against TLS 1.3 libraries and browsers. Finally, potential solutions or mitigation controls would be discussed that will help to prevent those attacks when deploying software using a library with TLS 1.3 support.