W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Design Issue: Overlong Frames

From: James M Snell <jasnell@gmail.com>
Date: Fri, 10 May 2013 11:29:16 -0700
Message-ID: <CABP7RbcUuYVG9v6aoC1m1qkHw6M2xb4eOzY32QgieKDznDZefg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Fri, May 10, 2013 at 10:36 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 9 May 2013 10:26, James M Snell <jasnell@gmail.com> wrote:
>> Recommendation: Adding a short statement that a PROTOCOL_ERROR MUST be
>> returned if a frame contains more bytes than what is expressly
>> specified in the frame definition.
> That would prevent extension unnecessarily.  And it doesn't do
> anything to improve security.

How does it prevent extension? If someone wants to extend an existing
frame to include new data, it can define a new frame type.

> When you want to harden security, you need to consider what equivalent
> options are available to an attacker.  If I wanted to send you more
> data, then I will use DATA frames.  Unless you can find a way to
> curtail DATA I see no reason to clamp down here.

In my experience, it's generally better to limit the exploitation options ;-)

- James
Received on Friday, 10 May 2013 19:31:19 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:13 UTC