W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-snell-httpbis-keynego-01.txt

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Wed, 20 Nov 2013 01:23:16 +0000
To: Roberto Peon <grmocg@gmail.com>
cc: Mark Nottingham <mnot@mnot.net>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <41368.1384910596@critter.freebsd.dk>
In message <CAP+FsNcNtdo9amaboDDDWbMGz47DgCed6q-BS_zLB275Y_MN4w@mail.gmail.com>
, Roberto Peon writes:

>Exposing the framing/length of things that would be in an
>encrypted-by-TLS bytestream today, however, does worry me-- 
>it makes BEAST/CRIME-like attacks significantly more difficult
>to protect against.

Absolutely.

And there is no doubt either that there is an UI challenge in
communicating the security situation, if the various elements you
see are protected to different levels and degrees.

But there are also many benefits, for instance being able to
run the crypto-handshake in parallel with delivery of the first
unprotected page elements, rather than stall everything until TLS
has gotten its bits sorted out.


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Wednesday, 20 November 2013 01:23:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC