It's definitely worth exploring more. I've done some experimentation with it as well. There are a host of issues that jump out immediately but the overall concept of http2 stream level encryption is theoretically sound. On Nov 17, 2013 3:08 PM, "Roberto Peon" <grmocg@gmail.com> wrote: > There are interesting security implications of interlacing unencrypted and > encrypted data which I'm fairly sure have not at all been > analyzed/experimented with. > This was one of the reasons why we originally thought about, but did not > implement, encryption as an upper, rather than lower layer. > > WS does do masking, but that is a fair bit less involved than TLS, which > requires bidirectional communication and is more involved. > > Again, I think it is an interesting thing to experiment with, and think > that it will absolutely require lots of analysis and experience... > -=R > > > On Sun, Nov 17, 2013 at 2:56 PM, Willy Tarreau <w@1wt.eu> wrote: > >> On Sun, Nov 17, 2013 at 02:30:03PM -0800, Roberto Peon wrote: >> > Sounds like an interesting experiment (as Mike already said, we >> considered >> > this way back when). >> >> yes, and it's already more or less what's done with WebSocket if my >> memory serves me right, as the masking is per message and I believe >> per channel when mux is used. >> >> I would personally like to see encryption used only on what *needs* >> to be encrypted so that "routing" HTTP doesn't require decrypting >> for most standard cases. We're not there yet... >> >> Willy >> >> >
Received on Sunday, 17 November 2013 23:24:23 UTC