Re: h2#404 requiring gzip and/or deflate

On 2/21/2014 12:09 PM, Bjoern Hoehrmann wrote:
> * Willy Tarreau wrote:
>>[...]That said, I'm still very concerned that we
>> want to mandate such antique bit-oriented algorithms which are extremely
>> slow and memory invasive while we have many much better ones such as
>> snappy, lz4, quicklz and I-don't-know-what which are much more friendly
>> for both ends and better suited for the 21th century's machines and
>> networks.
>
> I expect we will make sure through appropriate specification and testing
> that we can deploy new compression schemes much more easily than it is
> for HTTP/1.1, so I am not too concerned about that. [...]

Another question is whether compression schemes introduce side channels
better to attack TLS. This has been mainly a concern with regards to 
authentication information in headers, but the BREACH attach:

http://en.wikipedia.org/wiki/BREACH_%28security_exploit%29

used HTTP body compression.

These are really attacks on web browsers rather than HTTP, as such, but 
in practical terms they are part of the larger problem space.

-- 
     Albert Lunde  albert-lunde@northwestern.edu
                   atlunde@panix.com  (address for personal mail)

Received on Friday, 21 February 2014 19:02:41 UTC