W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: h2 padding

From: Brian Smith <brian@briansmith.org>
Date: Wed, 3 Sep 2014 12:00:35 -0700
Message-ID: <CAFewVt7738-08bGQ9D8ktju2JiXmepNOMNtoOeqi+rxPPWBqAw@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Mark Nottingham <mnot@mnot.net>, Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Sep 2, 2014 at 11:34 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
> Brian Smith writes:
>>Consider an implementation that sends every frame in its own TCP
>>packet, perhaps with a 1 minute delay between frames. [...]
>
> If this was a joke, you forgot the smiley.
>
> If it wasn't, please explain why we should even think about entertaining
> the convenience of such an implementation,

Pretty sure I am being trolled here, but in case I'm not: It is common
for "security people" to give an exaggerated example to make a
vulnerability obvious, in order to save time debating things like "is
a millisecond too small to matter?" You can replace "1 minute" with "1
second" or virtual any other non-zero period of time and you still
have the same problem. Similarly, the problem still holds even if
every frame isn't in its own TCP packet, as long as any frame gets
split according to some function of the length of the padding of a
frame.

> when 3/4 of the browsers
> cannot even think of a reason to support non-TLS traffic.

I agree that what the Google Chrome team is doing here is amazing and
commendable, and that all the other browsers should do similar.

Cheers,
Brian
Received on Wednesday, 3 September 2014 19:01:02 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC