Re: Padding for PUSH_PROMISE frames from Roberto Peon on 2014-02-14 (ietf-http-wg@w3.org from January to March 2014)

From: Roberto Peon <grmocg@gmail.com>
Date: Thu, 13 Feb 2014 23:42:08 -0800
To: Jeff Pinner <jpinner@twitter.com>
Cc: Nicholas Hurley <hurley@todesschaf.org>, IETF HTTP WG <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNe2k8fMw5o_uqwKPr+qQuy6v-RVP9yNUwmNyn7eXEV=qw@mail.gmail.com>

I can see an argument for it but... meh. Padding is not a security feature
unless it is used right. Adding it everywhere doesn't really help that, and
opens up stuff even wider for abuse in the myriad cases where it has no
real security benefit.

-=R


On Thu, Feb 13, 2014 at 9:39 PM, Jeff Pinner <jpinner@twitter.com> wrote:

> Should we consider adding padding to all frames?
>
> We have two bits reserved at the beginning of the length field that we
> could use for the two padding flags, independent of frame type.
>
>
> On Thu, Feb 13, 2014 at 9:26 PM, Nicholas Hurley <hurley@todesschaf.org>wrote:
>
>> All,
>>
>> Right now (as of draft-10), DATA, HEADERS, and CONTINUATION frames can
>> contain padding to obscure the actual size of the data being sent. I
>> believe it would make sense to also add the option for padding to
>> PUSH_PROMISE frames, as they carry (pretty much) the same type of payload
>> as HEADERS frames, and can benefit from padding in the same way.
>>
>> I can make a pull request if others think this is a good idea.
>>
>> Thoughts?
>> -Nick
>>
>
>

Received on Friday, 14 February 2014 07:42:36 UTC