W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: h2#373 HPACK attack mitigation options

From: Roland Zink <roland@zinks.de>
Date: Wed, 05 Mar 2014 12:47:33 +0100
Message-ID: <53170ED5.9020208@zinks.de>
To: ietf-http-wg@w3.org
What does this mean for proxies? Should proxies open a new outgoing 
connection for each incoming?

HPACK can do a diff to the previous request. If the previous request is 
from a different client then the diff might be rather large. Should 
HPACK be extended to allow several reference sets and switch between them?

Roland

On 05.03.2014 11:23, Martin Thomson wrote:
> An implementation is potentially affected by this attack if it allows
> multiple actors to influence the creation of HTTP header fields on the
> same connection.  It also requires that header fields provided by any
> one actor be kept secret from any other actor.  In the canonical
> example of a browser, the invariant we want to maintain is that any
> origin (the primary class of actor in that context) is unable to
> access header fields that are created by other origins, or the browser
> itself.
>
> I'll note that this is also potentially an issue for non-browsers that
> use proxies.
>
>
Received on Wednesday, 5 March 2014 11:47:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC