W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Why do DATA frames have padding?

From: Greg Wilkins <gregw@intalio.com>
Date: Wed, 7 May 2014 16:45:35 +0200
Message-ID: <CAH_y2NFz0TuTDspfs2gACVxGoWj7weDScf7YsXb_gqoP5EVqPA@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
I understand the security issue of obscuring data length so that an
attacker cannot send crafted data with a known compression algorithm to
help search for encryption keys.

But why does the padding data created to protect against that have to be
within the data frame?  This appears to a be a needless complication as the
extra data can be sent either in ping frames or even in an additional

Either the attacker can see frame boundaries, in which case in frame
padding is no good because the attacker can see the headers - OR they
can't, in which case sending some extra random length data can be done in
pings and/or alternate streams and the attacker will not be the wisers.

There might be an issue with frames being sent in different packets, but
that is easy for the sender to ensure simply by prepending and random size
ping to any buffer used to construct a data frame.


PS.  I can already imagine the abusive uses of the protocol that will start
putting "hidden" meta data into the padding!

Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.
Received on Wednesday, 7 May 2014 14:46:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC