- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 2 May 2014 13:15:12 -0700
- To: William Chan (陈智昌) <willchan@chromium.org>
- Cc: Erik Nygren <erik@nygren.org>, HTTP Working Group <ietf-http-wg@w3.org>
On 2 May 2014 12:59, William Chan (陈智昌) <willchan@chromium.org> wrote: > The difference here is that we're leaking more information (theoretically to the > same server, so it's not really an information leak). It is a problem only because clients can have altsvc information persisted for a very long time. This produces a way of correlating requests from clients between connections. (Even if we decide to drop this indicator, those tracking concerns are worth retaining; there's still the implicit leak.) > I would contrast this with HTTP redirect loops which never terminate and we > show an error for after too many redirects. But with ALTSVC, if you race the > different connections anyway, then everything will always work. It'll just > be suboptimal since you're setting up and tearing down connections all the > time. Yes, that's exactly the analogy I was using. The only difference is perhaps that the damage can be hidden. Everything continues to work, but you spend more time on new connections than might be ideal.
Received on Friday, 2 May 2014 20:15:39 UTC