W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: Striving for Compromise (Consensus?)

From: Jason Greene <jason.greene@redhat.com>
Date: Fri, 11 Jul 2014 13:45:49 -0500
Cc: Greg Wilkins <gregw@intalio.com>, Jeff Pinner <jpinner@twitter.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <71637FEF-62E4-48F8-BBA5-65D2C6534DD8@redhat.com>
To: Martin Thomson <martin.thomson@gmail.com>

On Jul 11, 2014, at 1:38 PM, Martin Thomson <martin.thomson@gmail.com> wrote:

> On 11 July 2014 11:35, Jason Greene <jason.greene@redhat.com> wrote:
>>> http://lists.w3.org/Archives/Public/ietf-http-wg/2014JulSep/0760.html
>> 
>> Ok in that case, Robertoís analysis does not prove what you say it does.
> 
> I'm pretty sure that it does.
> 
> This point:
>> The current design handles this fairly well, at most one set of headers can
>> be incomplete at any point in time (sending a large number of incomplete
>> headers and keeping most of them incomplete most of the time is an
>> excellent attack vector, which the design currently precludes).

This is the flaw:

"1) Stalling a connection by never finishing the sending of a full set of headers.

I don't find #1 interesting, since the attacker is mostly just attacking
themselves"

If you coalesce connections there are N users per connection. Thats a real problem you canít just wave away.

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat
Received on Friday, 11 July 2014 18:47:13 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC