- From: Willy Tarreau <w@1wt.eu>
- Date: Sat, 20 May 2023 10:02:52 +0200
- To: Ilari Liusvaara <ilariliusvaara@welho.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Sat, May 20, 2023 at 10:56:47AM +0300, Ilari Liusvaara wrote: > On Fri, May 19, 2023 at 02:30:50PM -0700, David Schinazi wrote: > > > > I agree with you that the main motivations for masking don't matter as much > > when WebSocket runs over TLS or QUIC (though AEADs without random IVs allow > > a collaborating client and server to predict the next keymat...). However, > > it's not clear to me why the overhead of masking matters. I wouldn't expect > > the XOR to be visible on CPU traces. Is this masking causing noticeable > > performance issues in your environment? > > As note on performance, it is not just XOR (which likely will not run > at anywhere close as fast as it could), it is also generating the random > numbers on client side. Many secure RNGs are very inefficient when > generating 4 bytes at a time. And then there is also possibility that > there are other poorly visible costs, e.g., extra data copying/ > buffering. Note that there's no real need for a secure RNG here, anything unpredictable *enough* to permit mass abuse is sufficient. Willy
Received on Saturday, 20 May 2023 08:02:59 UTC