- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 27 Jul 2017 17:15:20 +1000
- To: Willy Tarreau <w@1wt.eu>
- Cc: Benjamin Kaduk <bkaduk@akamai.com>, Kazuho Oku <kazuhooku@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Willy, On 27 July 2017 at 17:08, Willy Tarreau <w@1wt.eu> wrote: > On Wed, Jul 26, 2017 at 02:19:29PM +1000, Martin Thomson wrote: >> If Early-Data was omitted by the client, that would make it easier in >> a sense. Then an intermediary could tell if it was the first. > > If you remember that's exactly the conclusion that draw us to get rid > of this header on the client during our first meeting. We noticed that > it was wrong to have the client provide it because it would confuse > chained intermediaries and in the end the only thing that matters is > not how the request was *sent* but how it was *received*. Yes, this was a good reason until Subodh convinced me that the race was serious and that how the packet is received can be controlled by an attacker to the extent necessary to confuse a server. It's true that receipt is what matters ultimately. I've updated the PR (https://github.com/martinthomson/http-replay/pull/25) to capture this nuance. Hopefully it isn't awful.
Received on Thursday, 27 July 2017 07:15:43 UTC