- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 29 Feb 2012 00:02:25 +0100
- To: Mike Belshe <mike@belshe.com>
- CC: Willy Tarreau <w@1wt.eu>, httpbis mailing list <ietf-http-wg@w3.org>
On 2012-02-28 23:52, Mike Belshe wrote: > Hi, Willy - > > Thanks for the insightful comments about header compression. I'm out of > the country for a few days, so I am slow to reply fully. > > We did consider this, but ultimately decided it was mostly a non issue, > as the problem already exists. Specifically - the same amplification > attacks exist in the data stream with data gzip encoding. You could > make an argument that origin servers and proxy servers are different, I > suppose; but many proxy servers are doing virus scanning and other > content checks anyway, and already decoding that stream. But if you're > still not convinced, the problem also exists at the SSL layer. (SSL > will happily negotiate compression of the entire stream - headers & all > - long before it gets to the app layer). So overall, I don't think this > is a new attack vector for HTTP. > ... Am I missing something? When using SSL, the intermediate won't see the contents of the message anyway, right? (and yes, I'm aware of the "but", but that's not something we need to optimize for...) Best regards, Julian
Received on Tuesday, 28 February 2012 23:03:00 UTC