Re: HTTP/2 and HTTPS BICYCLE attack

On Thu, Jan 07, 2016 at 10:34:03PM +1100, Martin Thomson wrote:
> 
> If this had come with actual password recovery, I'd be impressed, but
> we've known for a long time that TLS doesn't protect lengths. TLS 1.3
> will let you try to protect lengths, but it's hard enough to do that
> we will likely give the same advice there: if you have a secret, then
> make it long, make every bit hard to guess, and make it the same
> length as all the other things like it.

HTTP/2 has padding support too (at least for HEADERS and DATA), right?

(Of course, this doesn't make it easy to use).


-Ilari

Received on Thursday, 7 January 2016 13:51:30 UTC