- From: Greg Wilkins <gregw@intalio.com>
- Date: Wed, 7 May 2014 16:45:35 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAH_y2NFz0TuTDspfs2gACVxGoWj7weDScf7YsXb_gqoP5EVqPA@mail.gmail.com>
I understand the security issue of obscuring data length so that an attacker cannot send crafted data with a known compression algorithm to help search for encryption keys. But why does the padding data created to protect against that have to be within the data frame? This appears to a be a needless complication as the extra data can be sent either in ping frames or even in an additional stream. Either the attacker can see frame boundaries, in which case in frame padding is no good because the attacker can see the headers - OR they can't, in which case sending some extra random length data can be done in pings and/or alternate streams and the attacker will not be the wisers. There might be an issue with frames being sent in different packets, but that is easy for the sender to ensure simply by prepending and random size ping to any buffer used to construct a data frame. regards PS. I can already imagine the abusive uses of the protocol that will start putting "hidden" meta data into the padding! -- Greg Wilkins <gregw@intalio.com> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales http://www.webtide.com advice and support for jetty and cometd.
Received on Wednesday, 7 May 2014 14:46:03 UTC