W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: improved caching in HTTP: new draft

From: Guille -bisho- <bishillo@gmail.com>
Date: Wed, 21 May 2014 09:10:20 -0700
Message-ID: <CAMSE37uZSvhqnm=tA-W_0qkfQvVk0s65bPqebbsYVoxN1O4MFA@mail.gmail.com>
To: Chris Drechsler <chris.drechsler@etit.tu-chemnitz.de>
Cc: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
My 2 cents after reading the draft:

Etag and If-None-Match already give a conditional get feature with
hash that does not need a reset of the connection.

Your proposal adds very little caching for bad practices. Nobody
should be using two urls for the same resource, if you need load
balancing between two cdns, you should be consistent and js1 always be
requested from site1 and js2 from site2. And this is being improved by
HTTP2 that will elimitate the need for sharding among domains to
overcome limits if parallel requests and head-of-line blocking.

The Cache-NT header can only be applied  within a domain, and even
there is risky. A malicious user could inject malicious content with a
Cache-NT header that matches other resource to poison the cache. Even
if intermediate caches check the hash, there is still pre-image
attacks, won't be hard to find a collision and append malicious code
to a js file.

With Cache-NT you are only avoiding the transfer of the content, but
still incurring in the request to the backend server. Most of the
times that is the expensive part, and before you reset the connection
the backend would have probably sent you another 8 packets of
information (the recommended initcwnd is 9 by this days). If the
request should be cached, better get the provider to configure cache
properly to avoid doing the request altogether than this oportunistic
but dangerous way of avoiding some extra transfers over the wire.

Guille -bisho-
<bisho@freedreams.org|fb.com>
:wq
Received on Wednesday, 21 May 2014 16:11:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC