Re: Making Implicit C-E work. from Johnny Graettinger on 2014-05-14 (ietf-http-wg@w3.org from April to June 2014)

From: Johnny Graettinger <jgraettinger@chromium.org>
Date: Wed, 14 May 2014 11:52:47 -0400
To: K.Morgan@iaea.org
Cc: Matthew Kerwin <matthew@kerwin.net.au>, Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, C.Brunhuber@iaea.org
Message-ID: <CAEn92TpM82mwHEKiuFA3pHcAs2mXoVg4aOz5Y8+KQfo8VpwZjA@mail.gmail.com>

>
> Nearly all of the problems brought up w.r.t. t-e gzip are also true for
> C-E gzip. This one is no exception.
>
> *Implicit C-E gzip adds a large DoS attack surface to intermediaries.*
> An attacker simply sends requests without ‘accept-encoding: gzip’ from a
> HTTP/1.1. origin through a 1.1<->2 gateway for a resource it knows the
> server will implicitly C-E gzip. Then (using your own words Johnny) “the
> gateway is required to decompress before handing off to the origin … and
> face the ensuing DoS attack surface.”
>

This is a problem which already exists today. As Roberto noted, existing h1
intermediaries add a-e: identity on behalf of clients who didn't ask for
it, and existing servers send c-e: gzip anyway, because the observed impact
of not compressing is higher than the interop issues it introduces.

The DOS mitigation which is available today, and continues to be available
for h2/h1 gateways under implicit c-e: gzip, is to pass through what the
server sent without decompression. There's a high likelihood the h1 client
will be able to handle c-e: gzip  (and even prefers it), which is
definitely not true if t-e: gzip were used instead.

Received on Wednesday, 14 May 2014 15:53:15 UTC