- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 3 Sep 2014 12:00:35 -0700
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Mark Nottingham <mnot@mnot.net>, Roy Fielding <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Sep 2, 2014 at 11:34 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > Brian Smith writes: >>Consider an implementation that sends every frame in its own TCP >>packet, perhaps with a 1 minute delay between frames. [...] > > If this was a joke, you forgot the smiley. > > If it wasn't, please explain why we should even think about entertaining > the convenience of such an implementation, Pretty sure I am being trolled here, but in case I'm not: It is common for "security people" to give an exaggerated example to make a vulnerability obvious, in order to save time debating things like "is a millisecond too small to matter?" You can replace "1 minute" with "1 second" or virtual any other non-zero period of time and you still have the same problem. Similarly, the problem still holds even if every frame isn't in its own TCP packet, as long as any frame gets split according to some function of the length of the padding of a frame. > when 3/4 of the browsers > cannot even think of a reason to support non-TLS traffic. I agree that what the Google Chrome team is doing here is amazing and commendable, and that all the other browsers should do similar. Cheers, Brian
Received on Wednesday, 3 September 2014 19:01:02 UTC