- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Wed, 03 Sep 2014 06:28:39 +0000
- To: Brian Smith <brian@briansmith.org>
- cc: Mark Nottingham <mnot@mnot.net>, Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
-------- In message <CAFewVt74NYqEFNUFnhYcWdaYpZpsEj4zWb4eG7O29=UBAZANZQ@mail.gmail.com> , Brian Smith writes: >On Tue, Sep 2, 2014 at 11:07 PM, Brian Smith <brian@briansmith.org> wrote: >It seems like padding either belongs at the transport layer or within the >application (e.g. within the HTML content), not in the HTTP layer. Agreed. There's an old article about this called "End-to-end arguments in system design". The transport layer can pad traffic to look all alike, but this is incredibly inefficient, basically it must fill all packets and stuff random bogo-packets in to mask any timing. The application layer knows both what is important to mask and how to best best mask it, and that is where security padding should happen. Hoping that a random layer in the middle can stuff in some padding without insight into the context and magically secure all the web-apps which should have thought about it is not based on sound thinking. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Wednesday, 3 September 2014 06:29:05 UTC