W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Frame Length Restrictions

From: Jeff Pinner <jpinner@twitter.com>
Date: Mon, 21 Apr 2014 17:01:47 -0700
Message-ID: <CA+pLO_iqHbmiJYiQVkW7gNTwxFFa5uxEWwRdhZ-_87uzMhh+fw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Johnny Graettinger <jgraettinger@chromium.org>, Patrick McManus <mcmanus@ducksong.com>, K.Morgan@iaea.org, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
>
>
> > Now, if I operate under the assumption that an adversary can force my
> server
> > to produce full size frames, [...]
>
> This is where we have the disconnect.  If an adversary has that much
> control over your code, I don't trust *anything* you are sending me.
> What's padding going to do to help then?
>

My assumption here, is similar to BREACH, user input can be reflected in
HTTP response bodies, which the upstream servers naively split into 16K
data frames using whatever HTTP/2 library they have chosen.
Received on Tuesday, 22 April 2014 00:02:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC