Re: #250 / #251 (connect bodies)

On Fri, Oct 29, 2010, Willy Tarreau wrote:
> On Fri, Oct 29, 2010 at 04:41:14PM +1100, Mark Nottingham wrote:
> > It's not free, as evidenced by the hoops that are being jumped through to try to make sure that it isn't treated like HTTP.
> No, we're trying to make sure it *is* treated like HTTP even on non
> completely HTTP compliant stacks which could possibly treat the tunnelled
> data as HTTP too while they must not. Otherwise, the 101+upgrade perfectly
> fits the purpose.

I know I've asked this before, but what about devices that wish to pull apart
the CONNECT traffic (MITM security appliances) and, deciding the traffic
isn't actually HTTP, quite rightly denies it?

What about statistical fingerprinting of traffic? (ie, fingerprinting
whether a CONNECT session is likely to be HTTP or not based on exchanged
traffic patterns.)


Received on Friday, 29 October 2010 06:29:24 UTC