Le specifiche per TLS 1.3 0-RTT menzionano quanto segue minaccia che un utente malintenzionato potrebbe realizzare:
Network attackers who take advantage of client retry behavior to arrange for the server to receive multiple copies of an application message. This threat already exists to some extent because clients that value robustness respond to network errors by attempting to retry requests. However, 0-RTT adds an additional dimension for any server system which does not maintain globally consistent server state. Specifically, if a server system has multiple zones where tickets from zone A will not be accepted in zone B, then an attacker can duplicate a ClientHello and early data intended for A to both A and B. At A, the data will be accepted in 0-RTT, but at B the server will reject 0-RTT data and instead force a full handshake. If the attacker blocks the ServerHello from A, then the client will complete the handshake with B and probably retry the request, leading to duplication on the server system as a whole.
La mia domanda è: dov'è l'attacco? Alla fine della giornata, l'attaccante poteva anche aver passato la sua copia di ClientHello alla Zona B e ottenere lo stesso risultato (una stretta di mano completa). Cosa mi manca?