#423: Security Implications of GZIP

In the London meeting, some folks expressed concern about the security implications of using GZIP in HTTP. We're tracking this as <https://github.com/http2/http2-spec/issues/423>. 

As you can see there, we've updated Security Considerations to address compression issues -- <http://http2.github.io/http2-spec/#rfc.section.10.6>

Does this address the concern adequately?

Cheers,


P.S. For those who haven't been following, payload compression in HTTP/2 can happen two ways:

1) end-to-end using Content-Encoding (just as with HTTP/1.1), and
2) hop-by-hop, using the compression flag on DATA frames; see <http://http2.github.io/http2-spec/#DATA>

(2) is new, and analogous to Transfer-Encoding: gzip in HTTP/1.1. However, it's frame-by-frame, not message-by-message; that is, compression dictionaries are not shared between frames, even if those frames coalesce to form a single HTTP message.



--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 25 April 2014 00:50:08 UTC