- From: Jason Greene <jason.greene@redhat.com>
- Date: Fri, 11 Jul 2014 13:45:49 -0500
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Greg Wilkins <gregw@intalio.com>, Jeff Pinner <jpinner@twitter.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Jul 11, 2014, at 1:38 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 11 July 2014 11:35, Jason Greene <jason.greene@redhat.com> wrote: >>> http://lists.w3.org/Archives/Public/ietf-http-wg/2014JulSep/0760.html >> >> Ok in that case, Roberto’s analysis does not prove what you say it does. > > I'm pretty sure that it does. > > This point: >> The current design handles this fairly well, at most one set of headers can >> be incomplete at any point in time (sending a large number of incomplete >> headers and keeping most of them incomplete most of the time is an >> excellent attack vector, which the design currently precludes). This is the flaw: "1) Stalling a connection by never finishing the sending of a full set of headers. I don't find #1 interesting, since the attacker is mostly just attacking themselves" If you coalesce connections there are N users per connection. Thats a real problem you can’t just wave away. -- Jason T. Greene WildFly Lead / JBoss EAP Platform Architect JBoss, a division of Red Hat
Received on Friday, 11 July 2014 18:47:13 UTC