W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Response to HTTP2 expresions of interest

From: Brian Pane <brianp@brianp.net>
Date: Fri, 13 Jul 2012 12:26:49 -0700
Message-ID: <CAAbTgTv4QxwyBy5Fp5xg7A_WAQ2BAxrK=Ui932amJrXZ2iA50A@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Friday, July 13, 2012, Poul-Henning Kamp wrote:

> In message <
> CAHBU6itLXj1W2uGEFvMEemi5hBrYjmaeYq-8b0oJvzKdvCh34Q@mail.gmail.com<javascript:;>
> >
> , Tim Bray writes:
>
> >How much information needs to be in the unprotected envelope?  Because one
> >of the benefits of transport-level security is that a snooper, for example
> >a government tracking dissidents, knows little/nothing about my traffic
> >aside from the routing.  Not a rhetorical question.  -Tim
>
> And this is exactly about the routing.
>
> The three fields that today should be part of the envelope is
> "Host:", URI (Sans query part) and Session-Nonce.  (Since we don't
> actually have a session-nonce, today people route on cookies.)


>From the perspective of a load balancer, having just those three fields in
cleartext isn't sufficient. Sending a request to the proper upstream
destination may require information from Cookie, X-Forwarded-For, and more.

And because there's an overlap between the fields often needed for load
balancing and the fields that contain PII, trying to put the former in a
cleartext envelope Is a tricky proposition.

I'm not too concerned about load balancers having to decrypt messages,
though: SSL termination has been a key selling point for load balancers for
many years.

-Brian
Received on Friday, 13 July 2012 19:27:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 13 July 2012 19:27:23 GMT