A Non-Technical Intro to Zero Round Trip Time Resumption (0-RTT) From Cloudflare

A quick note before we begin: while not that elementary, for the proposes of this post & resemblance, you can think of a client as a web browser and a server as a website.

In short, Zero Round Trip Time Resumption or 0-RTT optimizes performance for clients who are resuming a connection to your site.

Technically, in the internet and networking terminology, a resumption occurs when a client reuses the known information from a previously visited server’s handshake.

Confused? Think about it this way (for analogical purposes only): say you’re going to a new place for the first time, and it takes 15 minutes to get there (5 minutes navigation setup time + 10 minutes travel time). Now, when you go to the same place again, you’ll save 5 minutes because you already know the way, and therefore, won’t require navigation. The idea of resumption is similar.

How To Turn On 0-RTT in Cloudflare?

For free Cloudflare users, 0-RTT is accessible inside the “Network” app/tab — whatever you call it. It will be right below the HTTP/3 (With QUIC) setting.

Once the option is viewable, free users can straightforwardly turn on 0-RTT with a toggle switch/button. And just that easily, can turn it off too.

The Primary Security Risk of Using 0-RTT (Although, It Shouldn’t Be if Websites Truly Had Proper Mechanisms in Place Against Attacks)

A primary concern for using 0-RTT is that of what’s called a replay attack. This type of attack can happen when a malicious actor on the internet gets hold of your initial data transmission and then can use it to either delay or resend the messages for fraudulent activities.

A typical example cited on the internet is that of a financial transaction. So, for instance, imagine you’re sending $100 to someone. The hacker can get hold of that message/encryption/data and repeat that.

As Cloudflare puts it, it’s important to remember that HTTP requests aren’t just for loading a webpage. They are utilized for many more aspects of online experiences, for instance, financial transactions.

How Cloudflare Mitigates the Vulnerability Against a Replay Attack

As hinted earlier, websites that are serious about their security would and should have systems in place to block replay attacks; however, Cloudflare earnestly takes a few safety measures on their end when 0-RTT is enabled. Specifically, these are:

1. Only GET requests can leverage the 0-RTT feature. Typically, there are a few types of requests such as GET, POST, PUT, etc. The GET requests are expected to be more secure in that they cannot alter server’s state.
2. Next, Cloudflare says that they can uniquely recognize connection resumptions, and when that happens, they send that information to the origin server with a unique header. This way, if it gets repeated, the origin should know it’s a replay attack. For easier understanding, say 1234 is a code for one of the resumptions. If 1234 is repeated, we, as in the Origin server, should be able to then identify that this is a replay attack.

Are You Using 0-RTT From Cloudflare?

When it comes to making connections, requests, and page performance better for my site users, I am usually the first to hop onto it.

But the decision to use 0-RTT should come from your Networking and Engineering team. In my opinion, if all you’re running is a blog or a site that doesn’t involve eCommerce, ongoing subscriptions, logins, etc., it should be reasonably safe to do so.

I’ve realized that many Cloudflare users aren’t even aware of some of the accessible features they can benefit from. So if you’re in doubt or if you’ve come across this post, ask the experts in your organization if it would be a good idea to wield the power of 0-RTT. Because clearly, it does provide an edge.

Sidenote: QUIC 0-RTT Resumption is a thing now. Read more here.

Expert Source

• Cloudflare: Also, check it out if you want to grab more details about how 0-RTT functions.