W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: h2 padding

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 2 Sep 2014 16:24:03 -0700
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <6815AA04-68B0-44D3-B71D-CE252DD9342B@gbiv.com>
To: Martin Thomson <martin.thomson@gmail.com>
On Sep 2, 2014, at 2:51 PM, Martin Thomson wrote:

> On 30 August 2014 12:14, Roy T. Fielding <fielding@gbiv.com> wrote:
>> 
>> I think that is a mistake.  Forcing padding to zero makes it less random
>> and causes it to be compressed to nothing if a higher layer compresses
>> the stream.  A requirement on senders cannot prevent bad actors from
>> sending non-zeros (assuming this is to prevent smuggling of data).
> 
> This was entirely intentional.  And this is less about bad actors than
> it is about reducing the likelihood that a bad implementation escapes
> detection.  I personally consider the idea that we might prevent
> somehow smuggling in HTTP to be laughable.

I was trying to be nice.  Sending zeros for padding is a bad implementation.

> Note that these zero bytes cannot be compressed.  We're requiring no
> compression in TLS, consistent with its eventual removal in 1.3.

I am not going to limit use of HTTP to TLS.  Making design assumptions
based on its presence is a mistake.  There are a significant number of
HTTP implementations that don't even use a network, and a significant
number of secure networks that don't require the vulnerability of TLS
certificate authorities.  Let's not assume they do.

BTW, the same is true of the way "TCP" is used in the spec.  Assuming
that all connections are TCP isn't even remotely true in practice,
including when they are actually TLS.

....Roy
Received on Tuesday, 2 September 2014 23:24:27 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC