W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: HTTP/2 DoS Vulnerability (Was: HTTP/2 response completed before its request)

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Wed, 02 Jul 2014 06:46:34 +0000
To: "Eric J. Bowman" <eric@bisonsystems.net>
cc: Roberto Peon <grmocg@gmail.com>, Jeff Pinner <jpinner@twitter.com>, Johnny Graettinger <jgraettinger@chromium.org>, William Chan ( ι™ˆζ™Ίζ˜Œ) <willchan@chromium.org>, Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <mcmanus@ducksong.com>, Jesse Wilson <jesse@swank.ca>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <19557.1404283594@critter.freebsd.dk>
In message <20140702003841.39ce24b01a491aaedf288969@bisonsystems.net>, "Eric J. Bowman" writes:
>"Poul-Henning Kamp" wrote:
>> Since it seems HTTP/2 is just going to be a short lived stopgap on top
>> of TLS only, maybe it will never become a real problem.
>> In HTTP/3 we'll have to be serious about it.
>My disillusionment with the HTTP/2 process stems from this concept that
>it doesn't need to be "gotten right" because we'll address any problems
>in HTTP/3. Am I the only one who thinks the horse should come before
>the cart?

What really surprises me is that we see such proposals to name&shame
proxies which do not allow random private extensions through, but
no proposals to name&shame browsers which do not want to support
HTTP/2 upgrade ?

The goals are obviously not to ensure the widest possible adoption
of HTTP/2.

I certainly looks like a number of WG participants are much more
focuses on getting HTTP/2 to work for their own private, (soon to
be walled ?), garden, than to make HTTP/2 the best possible protocol
for the web as such.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Wednesday, 2 July 2014 06:46:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:08 UTC