- From: Erik Aronesty <erik@q32.com>
- Date: Sat, 7 Aug 2021 18:13:05 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAJowKg+6O90XYVYvN1WyPdEH10B3oPoLWcYp8ibhYk_d8LjKLw@mail.gmail.com>
SSL is increasingly required for website servers. Well this is a good thing it does increase the burden on the server for connections. The amount of effort required to trigger key negotiations can be low compared to the effort spent on the server. An easy way to mitigate this would be for the server to require a small proof of work. A server can issue a nonce and a required proof level in order to proceed with SSL negotiations. Browsers could complete a proof of work within a millisecond or so. In response to a denial of service attack the SSL layer could request an increased proof of work for example. Users of the website could then choose whether or not to comply based on the difficulty and expected time of calculation. A lightweight pow+authentication system like this could be a massive deterrent for a denial of service attack.... effectively spreading the load of the attack across all of the users of the site. https://simulx.medium.com/1eccf3817e90
Received on Monday, 9 August 2021 08:01:42 UTC