Re: HTTP/2 DoS Vulnerability (Was: HTTP/2 response completed before its request) from Roberto Peon on 2014-07-02 (ietf-http-wg@w3.org from July to September 2014)

From: Roberto Peon <grmocg@gmail.com>
Date: Tue, 1 Jul 2014 23:41:38 -0700
To: "Eric J. Bowman" <eric@bisonsystems.net>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Jeff Pinner <jpinner@twitter.com>, Johnny Graettinger <jgraettinger@chromium.org>, William Chan <willchan@chromium.org>, Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <mcmanus@ducksong.com>, Jesse Wilson <jesse@swank.ca>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNd06bPGVHVtn2QADT0C64Ai7_VZftkrtVzqt0ajOdANfA@mail.gmail.com>

phk@ has yet to demonstrate that there is an actual problem with DoS for
HTTP2 in the first place, and continues to make statements of fact about
things where he is demonstrably misinformed.

-=R




On Tue, Jul 1, 2014 at 11:38 PM, Eric J. Bowman <eric@bisonsystems.net>
wrote:

> "Poul-Henning Kamp" wrote:
> >
> > Since it seems HTTP/2 is just going to be a short lived stopgap on top
> > of TLS only, maybe it will never become a real problem.
> >
> > In HTTP/3 we'll have to be serious about it.
> >
>
> My disillusionment with the HTTP/2 process stems from this concept that
> it doesn't need to be "gotten right" because we'll address any problems
> in HTTP/3. Am I the only one who thinks the horse should come before
> the cart?
>
> -Eric
>

Received on Wednesday, 2 July 2014 06:42:05 UTC