Re: HTTP/2 DoS Vulnerability (Was: HTTP/2 response completed before its request) from Mike Belshe on 2014-07-02 (ietf-http-wg@w3.org from July to September 2014)

From: Mike Belshe <mike@belshe.com>
Date: Wed, 2 Jul 2014 04:30:59 -0700
To: "Eric J. Bowman" <eric@bisonsystems.net>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Roberto Peon <grmocg@gmail.com>, Jeff Pinner <jpinner@twitter.com>, Johnny Graettinger <jgraettinger@chromium.org>, William Chan <willchan@chromium.org>, Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <mcmanus@ducksong.com>, Jesse Wilson <jesse@swank.ca>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABaLYCtvpxTj_-Cvk3y0W_gddhNuyGpAe74VEwbzp920y_LUyQ@mail.gmail.com>

On Tue, Jul 1, 2014 at 11:51 PM, Eric J. Bowman <eric@bisonsystems.net>
wrote:

> "Poul-Henning Kamp" wrote:
> >
> > What really surprises me is that we see such proposals to name&shame
> > proxies which do not allow random private extensions through, but
> > no proposals to name&shame browsers which do not want to support
> > HTTP/2 upgrade ?
> >
> > The goals are obviously not to ensure the widest possible adoption
> > of HTTP/2.
> >
> > I certainly looks like a number of WG participants are much more
> > focuses on getting HTTP/2 to work for their own private, (soon to
> > be walled ?), garden, than to make HTTP/2 the best possible protocol
> > for the web as such.
> >
>
> Exactly. Why are so many folks talking about HTTP/3 as a solution to
> the shortcomings of HTTP/2 when HTTP/2 isn't even in LC? If HTTP/2 were
> "getting it right" then why all the talk of deferring proper
> architecture to HTTP/3? So discouraging...
>

There is no real discussion of HTTP/3.  PHK proposed HTTP/3 discussion as a
bucket to catch the same arguments that he lost in HTTP/2 discussions. As
far as I can tell, he is the only one talking about it.  The rest of us are
still working on HTTP/2.

Mike





>
> -Eric
>
>

Received on Wednesday, 2 July 2014 11:31:26 UTC