- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 21 Apr 2014 16:16:21 -0700
- To: Jeff Pinner <jpinner@twitter.com>
- Cc: Johnny Graettinger <jgraettinger@chromium.org>, Patrick McManus <mcmanus@ducksong.com>, K.Morgan@iaea.org, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 21 April 2014 15:57, Jeff Pinner <jpinner@twitter.com> wrote: > The goals here are: > > 1) achieve a desired (to-be-provided) frame length distribution > 2) achieve this with the minimum amount of padding > 3) achieve the desired distribution regardless of the input data stream > > The intend is not to avoid reframing, it's to avoid a discontinuity in the > output distribution. Then those goals can be achieved without changing anything. Re-packaging frames into smaller chunks allows you to meet those goals. I can understand if there are END_SEGMENT flags in place that this complicates things. But completely-full frames with END_SEGMENT should be a pathological case. > Now, if I operate under the assumption that an adversary can force my server > to produce full size frames, [...] This is where we have the disconnect. If an adversary has that much control over your code, I don't trust *anything* you are sending me. What's padding going to do to help then?
Received on Monday, 21 April 2014 23:16:49 UTC