Re: draft-ietf-httpbis-http2-latest, 4.3 Header Compression and Decompression, 10.6 Use of Compression from Martin Thomson on 2014-07-10 (ietf-http-wg@w3.org from July to September 2014)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 9 Jul 2014 21:44:22 -0700
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Cc: HTTPBIS working group mailing list <ietf-http-wg@w3.org>
Message-ID: <CABkgnnVZ4BhKv9ktDvX=H+ie1CTOvXin3Thi-0NAN7x=q-EbSw@mail.gmail.com>

On 9 July 2014 20:47, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
>
> 1) Attack is relevent only when TLS is used -- otherwise data
>    is observed by attacker in any case
>
> 2) TLS between proxy -> Web server   means that
>    original URL was  https://...
>
> 3) https://... URL means that T wants end to end encryption
>    and therefore T uses CONNECT methed for proxy


These are correct, but we are talking about new uses for TLS, and
there are cases (gateways in particular) where the problem could
manifest.

Received on Thursday, 10 July 2014 04:44:49 UTC