- From: Albert Lunde <atlunde@panix.com>
- Date: Fri, 21 Feb 2014 13:02:18 -0600
- To: HTTP Working Group <ietf-http-wg@w3.org>
On 2/21/2014 12:09 PM, Bjoern Hoehrmann wrote:
> * Willy Tarreau wrote:
>>[...]That said, I'm still very concerned that we
>> want to mandate such antique bit-oriented algorithms which are extremely
>> slow and memory invasive while we have many much better ones such as
>> snappy, lz4, quicklz and I-don't-know-what which are much more friendly
>> for both ends and better suited for the 21th century's machines and
>> networks.
>
> I expect we will make sure through appropriate specification and testing
> that we can deploy new compression schemes much more easily than it is
> for HTTP/1.1, so I am not too concerned about that. [...]
Another question is whether compression schemes introduce side channels
better to attack TLS. This has been mainly a concern with regards to
authentication information in headers, but the BREACH attach:
http://en.wikipedia.org/wiki/BREACH_%28security_exploit%29
used HTTP body compression.
These are really attacks on web browsers rather than HTTP, as such, but
in practical terms they are part of the larger problem space.
--
Albert Lunde albert-lunde@northwestern.edu
atlunde@panix.com (address for personal mail)
Received on Friday, 21 February 2014 19:02:41 UTC