- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 13 May 2015 04:49:15 +1200
- To: ietf-http-wg@w3.org
On 13/05/2015 1:21 a.m., Willy Tarreau wrote: > On Tue, May 12, 2015 at 01:07:58PM +0000, Poul-Henning Kamp wrote: >> -------- >> In message <20150512082524.GC6738@1wt.eu>, Willy Tarreau writes: >> >>> Note that if a client supporting an encrypted response payload sets gzip in >>> Accept-Encoding, it probably means it's willing to decompress *after* >>> decryption, [...] >> >> That be an information leak. We shouldn't say anything which tells >> anybody anything about what the encrypted data means. > > Good point, which brings back the header fields encryption. Thus maybe > as was suggested, if any header is to be encrypted it should be moved > to the payload part (mime or so). That said, a correct encryption > algorithm would not be weakened by knowing that the first 3 bytes are > expected to be 0x1f8b08. Actually that would be octets 2-4. The first octet defines the padding size. Amos
Received on Tuesday, 12 May 2015 16:49:49 UTC