- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Wed, 20 Nov 2013 01:23:16 +0000
- To: Roberto Peon <grmocg@gmail.com>
- cc: Mark Nottingham <mnot@mnot.net>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
In message <CAP+FsNcNtdo9amaboDDDWbMGz47DgCed6q-BS_zLB275Y_MN4w@mail.gmail.com> , Roberto Peon writes: >Exposing the framing/length of things that would be in an >encrypted-by-TLS bytestream today, however, does worry me-- >it makes BEAST/CRIME-like attacks significantly more difficult >to protect against. Absolutely. And there is no doubt either that there is an UI challenge in communicating the security situation, if the various elements you see are protected to different levels and degrees. But there are also many benefits, for instance being able to run the crypto-handshake in parallel with delivery of the first unprotected page elements, rather than stall everything until TLS has gotten its bits sorted out. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Wednesday, 20 November 2013 01:23:38 UTC