- From: Brian Smith <brian@briansmith.org>
- Date: Wed, 3 Sep 2014 15:47:33 -0700
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Sep 3, 2014 at 3:31 PM, Brian Smith <brian@briansmith.org> wrote: > In order for padding to be a useful security feature, it must provide > end-to-end protection. That is, when the origin server sends > data||padding, that data||padding needs to be preserved and processed > as a single unit through all hops (i.e. by any/all proxies). Sorry, allow me to correct myself here: It isn't true that the data||padding needs to be preserved and processed as a single unit; that is stricter than necessary. Instead, the padding needs to be preserved, and if the data||padding is chopped up into smaller pieces, that must be done independently of the boundary between the data and the padding. But, note that the proposal to put padding in a separate frame actually *encourages* chopping the data between the data and the padding, and probably also encourages dropping the padding, which are exactly the two things one must not do. Cheers, Brian
Received on Wednesday, 3 September 2014 22:48:00 UTC