- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 31 Mar 2014 09:31:16 -0700
- To: K.Morgan@iaea.org
- Cc: Albert Lunde <atlunde@panix.com>, Cory Benfield <cory@lukasa.co.uk>, Zhong Yu <zhong.j.yu@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, C.Brunhuber@iaea.org
On 31 March 2014 06:28, <K.Morgan@iaea.org> wrote: > In other words, if an attack is found, you have to wait for all the servers > around the world to be patched to manually disable compression. At this stage, I consider it highly unlikely that an attack is found whereby compression has to be globally disabled. All the attacks that rely on compression are highly contextual. Use of compression for static content (images, static HTML, JS, CSS) is highly valuable from a performance perspective, and there are no significant threats in that area. Note that BEAST effectively did require all servers around the world to be patched. It's just that only a vanishingly small proportion of them were vulnerable to the attack. Maybe this won't be the case next time, but with all the recent scrutiny, I'd be willing to bet that the next attack won't be on compression. I'd think it unlikely that the working group would reverse this decision and remove the implicit opt-in.
Received on Monday, 31 March 2014 16:31:44 UTC