Re: Stephen Farrell's Discuss on draft-ietf-httpbis-cice-02: (with DISCUSS)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 04 September 2015 15:34 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A231B32DE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 4 Sep 2015 08:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hiE9zbAFlVy7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 4 Sep 2015 08:34:57 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 721131B409F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 4 Sep 2015 08:33:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZXswk-0000r5-AO for ietf-http-wg-dist@listhub.w3.org; Fri, 04 Sep 2015 15:30:34 +0000
Resent-Date: Fri, 04 Sep 2015 15:30:34 +0000
Resent-Message-Id: <E1ZXswk-0000r5-AO@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1ZXswd-0000qJ-6O for ietf-http-wg@listhub.w3.org; Fri, 04 Sep 2015 15:30:27 +0000
Received: from [134.226.56.6] (helo=mercury.scss.tcd.ie) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <stephen.farrell@cs.tcd.ie>) id 1ZXswZ-0007Sc-Cl for ietf-http-wg@w3.org; Fri, 04 Sep 2015 15:30:26 +0000
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 754EDBE39; Fri, 4 Sep 2015 16:29:55 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pla3pJtua0qg; Fri, 4 Sep 2015 16:29:55 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 3B25DBDF9; Fri, 4 Sep 2015 16:29:55 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1441380595; bh=4AP7CCqKtkhseaUrQp1qBPWKnrIqXom4r+K3mDFS6ow=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Ww0Nhhz8E56bxpGa1muc7juT6c2LN4VbPDnoBWOChCv/a31wYDDtFs7luPt2okdIj cVK+jb67vpdswhdOgrSaVlZX8/8LtTf16M7Q0O6CsMx23PUOe7lQwh9qxvWBEFfZLL 1Of6LWK1tgjRzjn+TCXRwFJRL+LpttQIezqC+PTg=
To: Julian Reschke <julian.reschke@gmx.de>, Mark Nottingham <mnot@mnot.net>
References: <20150902153943.26198.21461.idtracker@ietfa.amsl.com> <9F69E58B-58CA-48BB-AFBE-01E50840512C@mnot.net> <55E79BD0.4030707@cs.tcd.ie> <55E80971.9070905@greenbytes.de> <55E8172B.4030203@cs.tcd.ie> <55E9B300.2070702@gmx.de>
Cc: Mark Nottingham <mnot@pobox.com>, ietf-http-wg@w3.org, The IESG <iesg@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <55E9B8F3.7010705@cs.tcd.ie>
Date: Fri, 04 Sep 2015 16:29:55 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <55E9B300.2070702@gmx.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=134.226.56.6; envelope-from=stephen.farrell@cs.tcd.ie; helo=mercury.scss.tcd.ie
X-W3C-Hub-Spam-Status: No, score=-8.2
X-W3C-Hub-Spam-Report: AWL=1.353, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RDNS_NONE=0.793, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1ZXswZ-0007Sc-Cl 9e4209d094320aa7252417068abe9423
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Stephen Farrell's Discuss on draft-ietf-httpbis-cice-02: (with DISCUSS)
Archived-At: <http://www.w3.org/mid/55E9B8F3.7010705@cs.tcd.ie>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30179
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Julian, That change would be great thanks, S. On 04/09/15 16:04, Julian Reschke wrote: > On 2015-09-03 11:47, Stephen Farrell wrote: >> ... >>>> But more importantly, yes, I'm asking about the kind of analysis >>>> that lead to the section 10.6 you point at. >>> >>> There was no analysis because the use of compression in this >>> client->server direction really really isn't new at all. >> >> Hmmm. >> >> S. > > Right now we have: > >> 6. Security Considerations >> >> This specification does not introduce any new security considerations >> beyond those discussed in Section 9 of [RFC7231]. > > ...so that's clearly not helping. How about: > > "This specification introduces only discovery of supported content > codings and diagnostics for requests failing due to unsupported content > codings. As such, it doesn't introduce any new security considerations > over those already present in HTTP/1.1 (see Section 9 of [RFC7231]) and > HTTP/2 (Section 10 of [RFC7540]). > > However, the point of better discoverability and diagnostics is to make > it easier to use content codings in requests. This might lead to > increased usage of compression codings such as gzip (Section 4.2.3 of > [RFC7230]), which, when used over a secure channel, can be subject to > compression side-channel attacks such as BREACH (Section 10.6 of > [RFC7540], [BREACH]). At the time of publication, it was unclear how > BREACH-like attacks can be applied to compression in HTTP requests." > > Best regards, Julian >
- Stephen Farrell's Discuss on draft-ietf-httpbis-c… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Julian Reschke
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Julian Reschke
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Julian Reschke
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Julian Reschke
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham