Re: h2 padding

In message <>
, Brian Smith writes:
>On Tue, Sep 2, 2014 at 11:07 PM, Brian Smith <> wrote:

>It seems like padding either belongs at the transport layer or within the
>application (e.g. within the HTML content), not in the HTTP layer.


There's an old article about this called "End-to-end arguments in
system design".

The transport layer can pad traffic to look all alike, but this is
incredibly inefficient, basically it must fill all packets and
stuff random bogo-packets in to mask any timing.

The application layer knows both what is important to mask and how
to best best mask it, and that is where security padding should happen.

Hoping that a random layer in the middle can stuff in some padding
without insight into the context and magically secure all the
web-apps which should have thought about it is not based on sound thinking.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Wednesday, 3 September 2014 06:29:05 UTC