Re: New Version Notification for draft-bishop-http2-extension-frames-00.txt

Le Mar 12 novembre 2013 17:43, James M Snell a écrit :
> Content filtering is a different matter entirely, and usually happens
> in a way that is content-sensitive.

I like "usually". The truth is that outside advertisers, the NSA and
Hollywood movies the amount of content analysis done out there is very
minimal. There is known safe stuff, known unsafe stuff, a lot of probably
safe stuff, and
weird-stuff-we-dont-have-time-to-analyse-that-we-will-drop-for-now

What I'm use is any part of the spec with "use this if you want to avoid
filtering" is certain to be abused sooner than later. Just like port 443
and https encapsulation have been abused widely as soon as it become clear
it avoided lots of controls.

> The kind of "silent dropping"
> that's being discussed here is indiscriminate, with no consideration
> being given to the frame content. The fact of the matter is that
> silently dropping end-to-end frames without understanding why they've
> been transmitted is extremely dangerous.

So is "blindly accept what you don't know". No security professional will
sign on such a proposal, since he has to justify why he let dangerous
traffic pass in case of incident.

-- 
Nicolas Mailhot

Received on Thursday, 14 November 2013 11:39:01 UTC