Re: h2 padding

On Tue, Sep 2, 2014 at 11:07 PM, Brian Smith <brian@briansmith.org> wrote:
> I actually think it is worth evaluating whether the padding mechanism
> is practically useful as a security mechanism as specified and with
> the above issues addressed. Has anybody actually used frame padding to
> solve a real-world problem yet? Has anybody tried to write a
> terrible-but-conforming implementation that effectively undoes all the
> protection that padding is supposed to offer? It seems likely that the
> answer to both questions is "no."

Also, what is a HTTP1.1 <-> HTTP/2 proxy supposed to do with padding?
It seems it can do nothing but drop it. But, if the padding is
security-critical then it isn't safe to drop it. It seems like padding
either belongs at the transport layer or within the application (e.g.
within the HTML content), not in the HTTP layer. But, perhaps this
concern has already been addressed in ways that are not obvious to me;
if so, sorry for the noise.

Cheers,
Brian

Received on Wednesday, 3 September 2014 06:15:34 UTC