W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: HTTP/2 and HTTPS BICYCLE attack

From: Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Thu, 7 Jan 2016 15:50:56 +0200
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "Smith, Kevin, (R&D) Vodafone Group" <Kevin.Smith@vodafone.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20160107135056.GA4724@LK-Perkele-V2.elisa-laajakaista.fi>
On Thu, Jan 07, 2016 at 10:34:03PM +1100, Martin Thomson wrote:
> If this had come with actual password recovery, I'd be impressed, but
> we've known for a long time that TLS doesn't protect lengths. TLS 1.3
> will let you try to protect lengths, but it's hard enough to do that
> we will likely give the same advice there: if you have a secret, then
> make it long, make every bit hard to guess, and make it the same
> length as all the other things like it.

HTTP/2 has padding support too (at least for HEADERS and DATA), right?

(Of course, this doesn't make it easy to use).

Received on Thursday, 7 January 2016 13:51:30 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC