W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Negotiating compression

From: Jason Greene <jason.greene@redhat.com>
Date: Thu, 29 May 2014 08:51:24 -0500
Cc: Martin Thomson <martin.thomson@gmail.com>, Simone Bordet <simone.bordet@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <A6C719E3-55F1-4BB5-99AB-DB1FE84ECCA8@redhat.com>
To: Willy Tarreau <w@1wt.eu>

> On May 29, 2014, at 1:40 AM, Willy Tarreau <w@1wt.eu> wrote:
> These ones could be advertised in the ALPN name (h2 = failsafe, h2h =
> hpack version for example) so that we don't need an extra round trip
> to know what is supported.

You mean disable/disallow the Huffman encoding bit in HPACK right? HPACK with a size 0 table is easy for embedded devices (and everyone else), offers decent reduction in header sizes, and runs no risk of a CRIME style attack.

> That way if a CRIME-like attack surfaces, simply disable h2h for the
> time it takes to design a new encoding and applications relying on
> passing everything in the same connection continue to work, just
> slightly slower.

If you did the above if likely wouldn't be slower, it would even be computationally faster, and might still be small enough to limit round trips
Received on Thursday, 29 May 2014 13:52:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC