W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Transfer-codings, mandatory content-coding support and intermediaries

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 21 Apr 2014 23:59:48 -0700
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <D8BA4C26-559C-46E3-ACBE-0C6BC14B9804@gbiv.com>
To: Martin Thomson <martin.thomson@gmail.com>
On Apr 21, 2014, at 9:35 AM, Martin Thomson wrote:
> The real problem here is less with clients, but servers.  The BEAST
> demonstrations exploited servers that dynamically compressed content
> without regard to the source of the compressed content.

They exploit compression of user-provided data within a secure channel
that can be observed by the attacker (on the same network).
Not surprisingly, most HTTP use cases are not effected.

Likewise, restricting packet sizes to a small length in order to
prevent fools from HOL blocking their own multiplexed channels
makes some sense, for browser developers.  However, it actively
harms applications of HTTP that are not interested in multiplexing
because they only want to transmit a single large data stream.
[E.g., for SSH, we have "http://www.psc.edu/index.php/hpn-ssh".]

I don't think it makes sense to limit an application-level protocol
to the worst case.

Received on Tuesday, 22 April 2014 07:00:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC