W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Making Implicit C-E work.

From: Johnny Graettinger <jgraettinger@chromium.org>
Date: Wed, 14 May 2014 11:52:47 -0400
Message-ID: <CAEn92TpM82mwHEKiuFA3pHcAs2mXoVg4aOz5Y8+KQfo8VpwZjA@mail.gmail.com>
To: K.Morgan@iaea.org
Cc: Matthew Kerwin <matthew@kerwin.net.au>, Roberto Peon <grmocg@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, C.Brunhuber@iaea.org
> Nearly all of the problems brought up w.r.t. t-e gzip are also true for
> C-E gzip. This one is no exception.
> *Implicit C-E gzip adds a large DoS attack surface to intermediaries.*
> An attacker simply sends requests without ‘accept-encoding: gzip’ from a
> HTTP/1.1. origin through a 1.1<->2 gateway for a resource it knows the
> server will implicitly C-E gzip. Then (using your own words Johnny) “the
> gateway is required to decompress before handing off to the origin … and
> face the ensuing DoS attack surface.”

This is a problem which already exists today. As Roberto noted, existing h1
intermediaries add a-e: identity on behalf of clients who didn't ask for
it, and existing servers send c-e: gzip anyway, because the observed impact
of not compressing is higher than the interop issues it introduces.

The DOS mitigation which is available today, and continues to be available
for h2/h1 gateways under implicit c-e: gzip, is to pass through what the
server sent without decompression. There's a high likelihood the h1 client
will be able to handle c-e: gzip  (and even prefers it), which is
definitely not true if t-e: gzip were used instead.
Received on Wednesday, 14 May 2014 15:53:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC