W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-snell-httpbis-keynego-01.txt

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Wed, 20 Nov 2013 00:54:29 +0000
To: Mark Nottingham <mnot@mnot.net>
cc: James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <41162.1384908869@critter.freebsd.dk>
In message <A2FCBC5B-CD83-4373-A80F-08AD860FAFD6@mnot.net>, Mark Nottingham wri

>For me, one of the key questions about this general approach is whether 
>the extra information leakage will be acceptable. I.e., an attacker will 
>now know the "shape" of messages -- request and response -- on the wire, 
>including their timing, size, relationships, etc. 

I think those are only relevant concerns in the 'targeted attack'
model, in which case, based on what we have learned, you're likely
totally screwed, even if you use TOR.

I think this is a much better model for HTTP in the long run, since
it opens the door to protected traffic sharing connections with
unprotected traffic, for instance between outgoing proxies and
servers, and it has the potential to only protect the bits which
really matter, at the level of protection they need.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Wednesday, 20 November 2013 00:54:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:20 UTC