Re: Frame Length Restrictions from Jeff Pinner on 2014-04-22 (ietf-http-wg@w3.org from April to June 2014)

From: Jeff Pinner <jpinner@twitter.com>
Date: Mon, 21 Apr 2014 17:01:47 -0700
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Johnny Graettinger <jgraettinger@chromium.org>, Patrick McManus <mcmanus@ducksong.com>, K.Morgan@iaea.org, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CA+pLO_iqHbmiJYiQVkW7gNTwxFFa5uxEWwRdhZ-_87uzMhh+fw@mail.gmail.com>

>
>
> > Now, if I operate under the assumption that an adversary can force my
> server
> > to produce full size frames, [...]
>
> This is where we have the disconnect.  If an adversary has that much
> control over your code, I don't trust *anything* you are sending me.
> What's padding going to do to help then?
>

My assumption here, is similar to BREACH, user input can be reflected in
HTTP response bodies, which the upstream servers naively split into 16K
data frames using whatever HTTP/2 library they have chosen.

Received on Tuesday, 22 April 2014 00:02:14 UTC