Add 0-RTT - Githubissues

phip1611 / ttfb

Library + CLI-Tool to measure the TTFB (time to first byte) of HTTP requests. Additionally, this crate measures the times of DNS lookup, TCP connect and TLS handshake.

MIT License

41 stars 11 forks source link

Add 0-RTT #46

Open Seirdy opened 5 months ago

Seirdy commented 5 months ago

When it's safe to use, 0-RTT can significantly reduce the TTFB. Measuring savings can help inform the cost-effectiveness of implementing safeguards against replay attacks and adopting 0-RTT; this tool is in the perfect position to help.

phip1611 commented 5 months ago

Hey @Seirdy , thanks for the interest in my library. Can you please provide some more context regarding 0-RTT? Never really heard about it, TBH.

Seirdy commented 4 months ago

It allows servers to start sending data before completing a TLS handshake. Significantly reduces the TTFB over TLS, as only one round-trip is required (no extra round-trips with QUIC!).

TLS 1.3 Specification, section 2.3. Appendix E5 describes security considerations.
More info in the context of QUIC is in RFC 9001 section 4.6.
Cloudflare blog post
More info security considerations. Most idempotent content (such as static content) should be safe.

phip1611 commented 4 months ago

Does this require QUIC or does it also work with HTTP/1.1? That's not entirely clear to me?

phip1611 commented 4 months ago

I'm unsure how to implement this. Currently, the TLS connection is backed up by rustls. It seems to have 0-rtt support.

Unfortunately, I do not have the capacity now or in the next weeks to work on that. But I'd be happy to with reviewing contributions and eventually merging them.

On the long term, I'd like to have a CLI like this:

ttfb [--http11] [--http2] [--http3] [--quic]

including 0-RTT (possible via CLI flag) - but it takes some effort to do this.