W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

#423: Security Implications of GZIP

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 25 Apr 2014 10:51:05 +1000
Message-Id: <6343464F-C6FC-4A82-919A-11F963A7D6BB@mnot.net>
Cc: Kathleen Moriarty <kathleen.moriarty@emc.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: HTTP Working Group <ietf-http-wg@w3.org>
In the London meeting, some folks expressed concern about the security implications of using GZIP in HTTP. We're tracking this as <https://github.com/http2/http2-spec/issues/423>. 

As you can see there, we've updated Security Considerations to address compression issues -- <http://http2.github.io/http2-spec/#rfc.section.10.6>

Does this address the concern adequately?


P.S. For those who haven't been following, payload compression in HTTP/2 can happen two ways:

1) end-to-end using Content-Encoding (just as with HTTP/1.1), and
2) hop-by-hop, using the compression flag on DATA frames; see <http://http2.github.io/http2-spec/#DATA>

(2) is new, and analogous to Transfer-Encoding: gzip in HTTP/1.1. However, it's frame-by-frame, not message-by-message; that is, compression dictionaries are not shared between frames, even if those frames coalesce to form a single HTTP message.

Mark Nottingham   http://www.mnot.net/
Received on Friday, 25 April 2014 00:50:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC