Re: HTTP/2 DoS Vulnerability (Was: HTTP/2 response completed before its request)

On Tue, Jul 1, 2014 at 11:51 PM, Eric J. Bowman <>

> "Poul-Henning Kamp" wrote:
> >
> > What really surprises me is that we see such proposals to name&shame
> > proxies which do not allow random private extensions through, but
> > no proposals to name&shame browsers which do not want to support
> > HTTP/2 upgrade ?
> >
> > The goals are obviously not to ensure the widest possible adoption
> > of HTTP/2.
> >
> > I certainly looks like a number of WG participants are much more
> > focuses on getting HTTP/2 to work for their own private, (soon to
> > be walled ?), garden, than to make HTTP/2 the best possible protocol
> > for the web as such.
> >
> Exactly. Why are so many folks talking about HTTP/3 as a solution to
> the shortcomings of HTTP/2 when HTTP/2 isn't even in LC? If HTTP/2 were
> "getting it right" then why all the talk of deferring proper
> architecture to HTTP/3? So discouraging...

There is no real discussion of HTTP/3.  PHK proposed HTTP/3 discussion as a
bucket to catch the same arguments that he lost in HTTP/2 discussions. As
far as I can tell, he is the only one talking about it.  The rest of us are
still working on HTTP/2.


> -Eric

Received on Wednesday, 2 July 2014 11:31:26 UTC