W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: h2 padding

From: Greg Wilkins <gregw@intalio.com>
Date: Thu, 4 Sep 2014 10:30:40 +1000
Message-ID: <CAH_y2NH8aFFFW3SOawj71YpSNVHx=f9sg=5yr-1ZMAfgC_iDqw@mail.gmail.com>
To: Roberto Peon <grmocg@gmail.com>
Cc: Brian Smith <brian@briansmith.org>, Jason Greene <jason.greene@redhat.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Mark Nottingham <mnot@mnot.net>, Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 4 September 2014 08:30, Roberto Peon <grmocg@gmail.com> wrote:

> Truthfully, many folks who write applications will not think about this
> kind of thing, and providing something which does handle this for them
> automatically is likely quite a bit better than nothing.
>

I completely agree that applications often don't think about this sort of
thing.  As an infrastructure provider I like nothing more than providing a
service my users didn't even know that they needed.

But in this case the draft does not say that automatic padding is a bit
better than nothing.  In fact it says that padding without knowledge of the
data may be *counterproductive* and *easily defeated.*

So without guidance of how to generate padding in productive way, my
implementation will simply never generate padding and will discard any
padding received (because there are no channels available to pass it to
layers above).  Hhmmm I think Brian said this better:

On 4 September 2014 08:31, Brian Smith <brian@briansmith.org> wrote:

> In general, it is unreasonable to expect implementations to correctly
> implement this security feature when the way to correctly implement it
> is unspecified. The correct processing of padding, in particular, is
> extremely non-obvious.


+1

If there is a recommended way to improve security by generating padding,
then I will happily implement it.   But if there is not a recommended
general approach to padding then we are not going to magically create
secure automatic padding simply by saying that implementations may pad for
security.

cheers


-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.
Received on Thursday, 4 September 2014 00:31:09 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC