W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: FW: HPACK analysis

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 1 Feb 2014 12:59:29 -0800
Message-ID: <CABkgnnVr25caDPFwCWSCK1xghAfbCSu2wNtPdZ-1x479HFT28Q@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Rob Trace <Rob.Trace@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>, Magnus Nystrom <mnystrom@microsoft.com>, Eric Rescorla <ekr@rtfm.com>
On 31 January 2014 22:09, Adam Barth <w3c@adambarth.com> wrote:
> it requires downstream technologies to maintain more invariants in order to
> avoid leaking sensitive information.

After continuing this discussion offline, this remains my biggest
concern.  While it might be true that HPACK can be used safely, any
impact on users of the protocol will have to be carefully monitored.

However, I don't believe that any change in the requirements for
proper use would be necessarily be the end of HPACK.  We need to
understand what those changes might be and make an evaluation about
whether the advantages outweigh the costs.

It might be that we conclude that HPACK is a bad idea, period.  I
consider that unlikely, because the browser isn't the only place HTTP
is used.  More likely we will need to find a set of restrictions on
its use.

It might be that we don't use HPACK for browsing.  Again, that doesn't
sound ideal, but if we can't find a set of restrictions on use that
we're willing to implement, then that's where we will likely end up.
Received on Saturday, 1 February 2014 20:59:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC