Re: Padding for PUSH_PROMISE frames

I thought about adding padding to everything, but like Roberto said, it
gets even trickier to do correctly (i.e., without messing up the security
properties), and it seems a little silly to me to add padding to a frame
that has a constant size. Adding it to PUSH_PROMISE, though, allows hiding
the true size of the promised headers, and makea processing of both that
and HEADERS frames almost the same, conceivably simplifying  implementation.
I can see an argument for it but... meh. Padding is not a security feature
unless it is used right. Adding it everywhere doesn't really help that, and
opens up stuff even wider for abuse in the myriad cases where it has no
real security benefit.

-=R


On Thu, Feb 13, 2014 at 9:39 PM, Jeff Pinner <jpinner@twitter.com> wrote:

> Should we consider adding padding to all frames?
>
> We have two bits reserved at the beginning of the length field that we
> could use for the two padding flags, independent of frame type.
>
>
> On Thu, Feb 13, 2014 at 9:26 PM, Nicholas Hurley <hurley@todesschaf.org>wrote:
>
>> All,
>>
>> Right now (as of draft-10), DATA, HEADERS, and CONTINUATION frames can
>> contain padding to obscure the actual size of the data being sent. I
>> believe it would make sense to also add the option for padding to
>> PUSH_PROMISE frames, as they carry (pretty much) the same type of payload
>> as HEADERS frames, and can benefit from padding in the same way.
>>
>> I can make a pull request if others think this is a good idea.
>>
>> Thoughts?
>> -Nick
>>
>
>

Received on Friday, 14 February 2014 22:01:36 UTC