W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Frame Length Restrictions

From: Jeff Pinner <jpinner@twitter.com>
Date: Mon, 21 Apr 2014 17:01:47 -0700
Message-ID: <CA+pLO_iqHbmiJYiQVkW7gNTwxFFa5uxEWwRdhZ-_87uzMhh+fw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Johnny Graettinger <jgraettinger@chromium.org>, Patrick McManus <mcmanus@ducksong.com>, K.Morgan@iaea.org, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
> > Now, if I operate under the assumption that an adversary can force my
> server
> > to produce full size frames, [...]
> This is where we have the disconnect.  If an adversary has that much
> control over your code, I don't trust *anything* you are sending me.
> What's padding going to do to help then?

My assumption here, is similar to BREACH, user input can be reflected in
HTTP response bodies, which the upstream servers naively split into 16K
data frames using whatever HTTP/2 library they have chosen.
Received on Tuesday, 22 April 2014 00:02:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC