Re: Choosing a header compression algorithm from Roberto Peon on 2013-03-26 (ietf-http-wg@w3.org from January to March 2013)

From: Roberto Peon <grmocg@gmail.com>
Date: Mon, 25 Mar 2013 17:22:45 -0700
To: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>, agl@google.com
Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNdQ7mNbsaAiUqEF22Oh8KMaK3UWUWFzWE=K0jQbkM7t1Q@mail.gmail.com>

Herve--

We need an option which disables prefix matching on the HeaderDiff
compressor. The strategies I see in the code still allow many headers to be
attacked (if they include commas).
I believe that it is still possible to probe interesting data out of
various fields of the URL, for example, or even cookies, assuming they
aren't B64 encoded.

-=R


On Mon, Mar 25, 2013 at 11:38 AM, Roberto Peon <grmocg@gmail.com> wrote:

> There are two obvious strategies here: What we do now, and using what SPDY
> does today (share connections if the certs match and DNS resolution of the
> new hostname overlaps with those of the current connection).
>
> -=R
>
>
> On Mon, Mar 25, 2013 at 10:21 AM, RUELLAN Herve <
> Herve.Ruellan@crf.canon.fr> wrote:
>
>> > -----Original Message-----
>> > From: Mark Nottingham [mailto:mnot@mnot.net]
>> > Sent: lundi 25 mars 2013 06:56
>> > To: RUELLAN Herve
>> > Cc: Roberto Peon; ietf-http-wg@w3.org Group
>> > Subject: Re: Choosing a header compression algorithm
>> >
>> >
>> > On 23/03/2013, at 5:04 AM, RUELLAN Herve <Herve.Ruellan@crf.canon.fr>
>> > wrote:
>> >
>> > > I think it would be good to move this from the compressors to the
>> > streamifier. In addition, it would be interesting to look at a more
>> realistic
>> > streamifier that could for example unshard hosts (expecting that
>> HTTP/2.0
>> > will remove the sharding currently done by server developers).
>> >
>> > Right now, it combines all requests to the same TLD (according to the
>> Public
>> > Suffix List) into a single "connection." Do you have a suggestion for
>> how to do
>> > it better?
>>
>> I think this should provide some "realistic" results as a starting point.
>> Depending on what we want to measure, we may want to refine this a bit.
>>
>> Hervé.
>>
>> > I've just pushed a quick and dirty fix to use a new instance of each
>> > compressor for each connection; the results are pretty even between
>> > headerdiff and delta2, with a small increase in each:
>> >
>> > * TOTAL: 5948 req messages
>> >                                        size  time | ratio min   max
>> std
>> >                         http1     3,460,925  0.18 | 1.00  1.00  1.00
>>  0.00
>> >   delta2 (max_byte_size=4096)       707,901 11.87 | 0.20  0.03  0.83
>>  0.15
>> >      headerdiff (buffer=4096)       960,106  1.65 | 0.28  0.01  0.96
>>  0.23
>> >
>> > * TOTAL: 5948 res messages
>> >                                        size  time | ratio min   max
>> std
>> >                         http1     2,186,162  0.28 | 1.00  1.00  1.00
>>  0.00
>> >   delta2 (max_byte_size=4096)       622,837 12.86 | 0.28  0.02  1.22
>>  0.13
>> >      headerdiff (buffer=4096)       596,290  3.65 | 0.27  0.02  0.92
>>  0.18
>> >
>> > Cheers,
>> >
>> >
>> > --
>> > Mark Nottingham   http://www.mnot.net/
>> >
>> >
>>
>>
>

Received on Tuesday, 26 March 2013 00:23:12 UTC