- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 21 Apr 2014 23:59:48 -0700
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Apr 21, 2014, at 9:35 AM, Martin Thomson wrote: > The real problem here is less with clients, but servers. The BEAST > demonstrations exploited servers that dynamically compressed content > without regard to the source of the compressed content. They exploit compression of user-provided data within a secure channel that can be observed by the attacker (on the same network). Not surprisingly, most HTTP use cases are not effected. Likewise, restricting packet sizes to a small length in order to prevent fools from HOL blocking their own multiplexed channels makes some sense, for browser developers. However, it actively harms applications of HTTP that are not interested in multiplexing because they only want to transmit a single large data stream. [E.g., for SSH, we have "http://www.psc.edu/index.php/hpn-ssh".] I don't think it makes sense to limit an application-level protocol to the worst case. ....Roy
Received on Tuesday, 22 April 2014 07:00:11 UTC