- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 2 Sep 2014 16:24:03 -0700
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Sep 2, 2014, at 2:51 PM, Martin Thomson wrote: > On 30 August 2014 12:14, Roy T. Fielding <fielding@gbiv.com> wrote: >> >> I think that is a mistake. Forcing padding to zero makes it less random >> and causes it to be compressed to nothing if a higher layer compresses >> the stream. A requirement on senders cannot prevent bad actors from >> sending non-zeros (assuming this is to prevent smuggling of data). > > This was entirely intentional. And this is less about bad actors than > it is about reducing the likelihood that a bad implementation escapes > detection. I personally consider the idea that we might prevent > somehow smuggling in HTTP to be laughable. I was trying to be nice. Sending zeros for padding is a bad implementation. > Note that these zero bytes cannot be compressed. We're requiring no > compression in TLS, consistent with its eventual removal in 1.3. I am not going to limit use of HTTP to TLS. Making design assumptions based on its presence is a mistake. There are a significant number of HTTP implementations that don't even use a network, and a significant number of secure networks that don't require the vulnerability of TLS certificate authorities. Let's not assume they do. BTW, the same is true of the way "TCP" is used in the spec. Assuming that all connections are TCP isn't even remotely true in practice, including when they are actually TLS. ....Roy
Received on Tuesday, 2 September 2014 23:24:27 UTC