Re: Response to HTTP2 expresions of interest

On Friday, July 13, 2012, Poul-Henning Kamp wrote:

> In message <
> >
> , Tim Bray writes:
> >How much information needs to be in the unprotected envelope?  Because one
> >of the benefits of transport-level security is that a snooper, for example
> >a government tracking dissidents, knows little/nothing about my traffic
> >aside from the routing.  Not a rhetorical question.  -Tim
> And this is exactly about the routing.
> The three fields that today should be part of the envelope is
> "Host:", URI (Sans query part) and Session-Nonce.  (Since we don't
> actually have a session-nonce, today people route on cookies.)

>From the perspective of a load balancer, having just those three fields in
cleartext isn't sufficient. Sending a request to the proper upstream
destination may require information from Cookie, X-Forwarded-For, and more.

And because there's an overlap between the fields often needed for load
balancing and the fields that contain PII, trying to put the former in a
cleartext envelope Is a tricky proposition.

I'm not too concerned about load balancers having to decrypt messages,
though: SSL termination has been a key selling point for load balancers for
many years.


Received on Friday, 13 July 2012 19:27:16 UTC