- From: Adrian Chadd <adrian@creative.net.au>
- Date: Fri, 29 Oct 2010 14:28:54 +0800
- To: Willy Tarreau <w@1wt.eu>
- Cc: Mark Nottingham <mnot@mnot.net>, Adam Barth <w3c@adambarth.com>, Julian Reschke <julian.reschke@gmx.de>, Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Oct 29, 2010, Willy Tarreau wrote: > On Fri, Oct 29, 2010 at 04:41:14PM +1100, Mark Nottingham wrote: > > It's not free, as evidenced by the hoops that are being jumped through to try to make sure that it isn't treated like HTTP. > > No, we're trying to make sure it *is* treated like HTTP even on non > completely HTTP compliant stacks which could possibly treat the tunnelled > data as HTTP too while they must not. Otherwise, the 101+upgrade perfectly > fits the purpose. I know I've asked this before, but what about devices that wish to pull apart the CONNECT traffic (MITM security appliances) and, deciding the traffic isn't actually HTTP, quite rightly denies it? What about statistical fingerprinting of traffic? (ie, fingerprinting whether a CONNECT session is likely to be HTTP or not based on exchanged traffic patterns.) Adrian
Received on Friday, 29 October 2010 06:29:24 UTC