W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: h2 padding

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 3 Sep 2014 17:25:36 -0700
Message-ID: <CABkgnnWHOqPXSB5KPou=W30p8X+=rG9vuSy50eKryChXHTjgnw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 3 September 2014 15:59, Brian Smith <brian@briansmith.org> wrote:
> It seems like, with the way padding is
> currently specified, no endpoint can rely on it to mitigate
> BREACH-type attacks, for the reasons I gave.

If you use TLS end-to-end, without intermediation, I see no reason
that this can't be used to mitigate BREACH (or CRIME) attacks and
their ilk.  Certainly in cases where translation to HTTP/1.1 occurs,
that might not be true.

>>> So, we have to assume some implementations will choose to split
>>> the data stream at the frame boundary.
>> Let us be very careful to distinguish between potentially more secure
>> because we are providing the necessary tools and more secure even when
>> people do the wrong thing.  We're not aiming for the latter here.
> Splitting at the frame boundary is not specified as the wrong thing
> anywhere in the draft.

Nor is sticking your head out of a moving subway carriage.

There is probably a line somewhere between that makes sense.  If you
are willing to provide text, I'm quite likely to accept it.
Received on Thursday, 4 September 2014 00:26:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 18 November 2019 18:02:01 UTC