- From: David Krauss <potswa@gmail.com>
- Date: Tue, 22 Jul 2014 14:44:41 +0800
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Roberto Peon <grmocg@gmail.com>, Adrien de Croy <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>, Willy Tarreau <w@1wt.eu>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2014–07–22, at 2:15 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > In message <CAP+FsNfCO34LAr9gzetXDs5=UdS2zOh8CHRn=akOpMnmnc0KCg@mail.gmail.com> > , Roberto Peon writes: > >> Like so: http://en.wikipedia.org/wiki/CRIME > > Apart from some pretty marginal difference in odds, I don't see > how splitting :query changes the equation. > > To take CRIME seriously means that the URL should never be compressed > and always randomly padded, and we don't do that. Well, actually that is the recommended practice for applications that do take CRIME seriously. Which is why I’m not sure that there’s a security impact to splitting out :query. If :path is not secret, then it can be stored in the header table. If it is secret, then the same measures will be applied as to :query and the impact of splitting (vs not splitting) is just a few bits. Anyway if :path remains constant then its contribution to the header block size will also be constant, regardless of compression or lack thereof.
Received on Tuesday, 22 July 2014 06:45:24 UTC