Re: HTTP/2: Another reason to find a safer encoding

Definitely a fascinating read and I can certainly relate to many of the
issues discussed. Reliable parsing within existing HTTP headers and the
request URI can be a significant source of pain. Encoding issues and
inconsistency between header definitions just makes matters that much
worse. Unfortunately, despite the significant security concern that such
issues represent (issues that I would argue are as significant, or in some
cases more significant than the question of mandatory TLS support) it would
be next to impossible to fix (or at least improve-upon) these various
issues without making significant modifications to existing HTTP/1.1
semantics. I'd very much like to see such changes made within 2.0, but I'm
afraid that I may be in the minority.

- James

On Tue, Jul 31, 2012 at 10:36 AM, Willy Tarreau <> wrote:

> Hi,
> Ivan Ristic recently presented a wide collection of methods to bypass
> web application firewalls using implementation differences in HTTP
> stacks :
> While some of them have already been discussed to great extents, including
> here, I think it's worth a read and reminds us that we really need to
> address the ambiguities of request encoding if we want to make the web
> safer.
> Regards,
> Willy

Received on Tuesday, 31 July 2012 21:56:50 UTC