Playback: A TLS 1.3 Story

Conference:  BlackHat USA 2018



The presentation discusses the impact of zero round trip time (0RTT) in TLS 1.3 and how it can lead to replay attacks. It also provides recommendations on how to prevent such attacks.
  • 0RTT can lead to replay attacks as it allows for the reuse of previously sent data
  • Applications need to be aware of 0RTT and implement additional protections to prevent replay attacks
  • Mitigations include disabling 0RTT, implementing strict browser request forgery policies, and creating a strict application profile
  • Various organizations have implemented different protections against 0RTT, such as single-use tickets and disabling 0RTT by default
The presenter demonstrates how an attacker can use 0RTT to perform a replay attack on a banking application. By intercepting the communication between the web browser and server, the attacker sends a zero RTT packet which is accepted by the server. The attacker then sends a rejection to the browser, forcing a full handshake to be made. After the handshake, the original request is sent again and the server accepts it, allowing the attacker to perform a successful replay attack. This illustrates the potential danger of 0RTT and the need for additional protections.


TLS 1.3 is the new secure communication protocol that should be already with us. One of its new features is 0-RTT (Zero Round Trip Time Resumption) that could potentially allow replay attacks. This is a known issue acknowledged by the TLS 1.3 specification, as the protocol does not provide replay protections for 0-RTT data, but proposed countermeasures that would need to be implemented on other layers, not at the protocol level. Therefore, the applications deployed with TLS 1.3 support could end up exposed to replay attacks depending on the implementation of those protections.This talk will describe the technical details regarding the TLS 1.3 0-RTT feature and its associated risks. It will include Proof of Concepts (PoC) showing real-world replay attacks against TLS 1.3 libraries and browsers. Finally, potential solutions or mitigation controls would be discussed that will help to prevent those attacks when deploying software using a library with TLS 1.3 support.