- From: Ilari Liusvaara <ilariliusvaara@welho.com>
- Date: Thu, 7 Jan 2016 15:50:56 +0200
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: "Smith, Kevin, (R&D) Vodafone Group" <Kevin.Smith@vodafone.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Thu, Jan 07, 2016 at 10:34:03PM +1100, Martin Thomson wrote: > > If this had come with actual password recovery, I'd be impressed, but > we've known for a long time that TLS doesn't protect lengths. TLS 1.3 > will let you try to protect lengths, but it's hard enough to do that > we will likely give the same advice there: if you have a secret, then > make it long, make every bit hard to guess, and make it the same > length as all the other things like it. HTTP/2 has padding support too (at least for HEADERS and DATA), right? (Of course, this doesn't make it easy to use). -Ilari
Received on Thursday, 7 January 2016 13:51:30 UTC