- From: Brian Smith <brian@briansmith.org>
- Date: Tue, 2 Sep 2014 23:15:08 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Sep 2, 2014 at 11:07 PM, Brian Smith <brian@briansmith.org> wrote: > I actually think it is worth evaluating whether the padding mechanism > is practically useful as a security mechanism as specified and with > the above issues addressed. Has anybody actually used frame padding to > solve a real-world problem yet? Has anybody tried to write a > terrible-but-conforming implementation that effectively undoes all the > protection that padding is supposed to offer? It seems likely that the > answer to both questions is "no." Also, what is a HTTP1.1 <-> HTTP/2 proxy supposed to do with padding? It seems it can do nothing but drop it. But, if the padding is security-critical then it isn't safe to drop it. It seems like padding either belongs at the transport layer or within the application (e.g. within the HTML content), not in the HTTP layer. But, perhaps this concern has already been addressed in ways that are not obvious to me; if so, sorry for the noise. Cheers, Brian
Received on Wednesday, 3 September 2014 06:15:34 UTC