- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 23 Jul 2014 16:51:15 +1200
- To: ietf-http-wg@w3.org
On 23/07/2014 12:26 p.m., Matthew Kerwin wrote: > On 23 July 2014 09:14, Greg Wilkins <gregw@intalio.com> wrote: > >> >> Matthew, >> >> why are the compression contexts frame only? Doesn't that make this >> extension very vulnerable to fragmentation, specially if we drop >> END_SEGMENT as we have done. >> >> >> >> >> >> Surely there is no harm in having a compression context that is per stream? >> >> > The two main reasons were CRIME/BREACH attacks, and to limit the state > commitment, particularly when transport-level compression was part of the > main spec. I'm trying to dig up a reference to the conversation that lead > to it; here's one cherry I've picked from the archives, which might be a > starting point back from which to work: > http://lists.w3.org/Archives/Public/ietf-http-wg/2014AprJun/0297.html Three > months is such a long time ago, on the internet. :\ > > Incidentally, END_SEGMENT had potential to enforce useful fragmentation -- > i.e. avoiding a CRIME/BREACH attack by separating secret and > attacker-controlled data with an end-to-end barrier -- if the END_SEGMENT > mechanism was exposed to the origin application. Fragmentation is not a problem. There are two obvious options from using a new extension frame type; either 1) define the frame as non-fragmentable, or 2) containing an END_SEGMENT flag. Amos
Received on Wednesday, 23 July 2014 04:52:02 UTC