Hello. After quite a bit of reading, it looks like the potential security risk(s) are not worth the potential performance boost? Is that a true statement, currently?

I’m running an eCommerce website w/ WordPress, and the below is concerning…if still accurate.

 E.5.  Replay Attacks on 0-RTT

    Replayable 0-RTT data presents a number of security threats to TLS-
    using applications, unless those applications are specifically
    engineered to be safe under replay (minimally, this means idempotent,
    but in many cases may also require other stronger conditions, such as
    constant-time response).  Potential attacks include:

    -  Duplication of actions which cause side effects (e.g., purchasing
       an item or transferring money) to be duplicated, thus harming the
       site or the user.

    -  Attackers can store and replay 0-RTT messages in order to re-order
       them with respect to other messages (e.g., moving a delete to
       after a create).

    -  Exploiting cache timing behavior to discover the content of 0-RTT
       messages by replaying a 0-RTT message to a different cache node
       and then using a separate connection to measure request latency,
       to see if the two requests address the same resource.

    Ultimately, servers have the responsibility to protect themselves
    against attacks employing 0-RTT data replication.  The mechanisms
    described in Section 8 are intended to prevent replay at the TLS
    layer but do not provide complete protection against receiving
    multiple copies of client data.  



You can certainly opt out of using if you’re not comfortable with it.

Here’s a blog post with the security concerns addressed near the end:



One of the virtues of payments is that they are idempotent.
Even if your website is using TLS 1.3 0+RTT the best practices for payment should be using a token methodology where your client connects directly to your payment processor and your receive a token.

Losing that token doesn’t jeopardize you or your client data.

Have you implemented Authenticated Origin Pull?



If you’re talking to me, I have no clue what you’re asking or talking about.

I’m running WooCommerce/WordPress w/ the WooCommerce Stripe payment gateway.



If you use Stripe, you will never have an issue with Replay Attacks on 0-RTT.
Stripe handles all the transactions for you safely.

1 Like


Awesome! Thanks…now we’re getting somewhere.


closed #7

This topic was automatically closed after 30 days. New replies are no longer allowed.