Re: Review: http://www.ietf.org/id/draft-mbelshe-httpbis-spdy-00.txt

On 2012-02-28 23:52, Mike Belshe wrote:
> Hi, Willy -
>
> Thanks for the insightful comments about header compression.  I'm out of
> the country for a few days, so I am slow to reply fully.
>
> We did consider this, but ultimately decided it was mostly a non issue,
> as the problem already exists.   Specifically - the same amplification
> attacks exist in the data stream with data gzip encoding.  You could
> make an argument that origin servers and proxy servers are different, I
> suppose; but many proxy servers are doing virus scanning and other
> content checks anyway, and already decoding that stream.  But if you're
> still not convinced, the problem also exists at the SSL layer.  (SSL
> will happily negotiate compression of the entire stream - headers & all
> - long before it gets to the app layer).  So overall, I don't think this
> is a new attack vector for HTTP.
> ...

Am I missing something? When using SSL, the intermediate won't see the 
contents of the message anyway, right? (and yes, I'm aware of the "but", 
but that's not something we need to optimize for...)

Best regards, Julian

Received on Tuesday, 28 February 2012 23:03:00 UTC