Re: New Version Notification for draft-thomson-http-encryption-00.txt

On 13/05/2015 1:21 a.m., Willy Tarreau wrote:
> On Tue, May 12, 2015 at 01:07:58PM +0000, Poul-Henning Kamp wrote:
>> --------
>> In message <>, Willy Tarreau writes:
>>> Note that if a client supporting an encrypted response payload sets gzip in
>>> Accept-Encoding, it probably means it's willing to decompress *after*
>>> decryption, [...]
>> That be an information leak.  We shouldn't say anything which tells
>> anybody anything about what the encrypted data means.
> Good point, which brings back the header fields encryption. Thus maybe
> as was suggested, if any header is to be encrypted it should be moved
> to the payload part (mime or so). That said, a correct encryption
> algorithm would not be weakened by knowing that the first 3 bytes are
> expected to be 0x1f8b08.

Actually that would be octets 2-4. The first octet defines the padding size.


Received on Tuesday, 12 May 2015 16:49:49 UTC