IETF Logo Mail Archive

Re: delta encoding and state management

Willy Tarreau <w@1wt.eu> Tue, 22 January 2013 22:31 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B720121F874B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 22 Jan 2013 14:31:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.733
X-Spam-Level:
X-Spam-Status: No, score=-9.733 tagged_above=-999 required=5 tests=[AWL=0.866, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h55pPGttQYTj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 22 Jan 2013 14:31:20 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 2BC5321F8739 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 22 Jan 2013 14:31:20 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1TxmML-0005gm-Su for ietf-http-wg-dist@listhub.w3.org; Tue, 22 Jan 2013 22:30:25 +0000
Resent-Date: Tue, 22 Jan 2013 22:30:25 +0000
Resent-Message-Id: <E1TxmML-0005gm-Su@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1TxmMD-0005Jd-99 for ietf-http-wg@listhub.w3.org; Tue, 22 Jan 2013 22:30:17 +0000
Received: from 1wt.eu ([62.212.114.60]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1TxmMC-0007L2-29 for ietf-http-wg@w3.org; Tue, 22 Jan 2013 22:30:17 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id r0MMTj3l032059; Tue, 22 Jan 2013 23:29:45 +0100
Date: Tue, 22 Jan 2013 23:29:45 +0100
From: Willy Tarreau <w@1wt.eu>
To: Roberto Peon <grmocg@gmail.com>
Cc: "William Chan (?????????)" <willchan@chromium.org>, James M Snell <jasnell@gmail.com>, Nico Williams <nico@cryptonector.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20130122222945.GN30692@1wt.eu>
References: <CAP+FsNcmLH6fWQoptBoP3a1x-zSpbP8piCFz1fg5KuF+6R3jjg@mail.gmail.com> <CAK3OfOj3ZgOZnzcQCifhb9f2One7vBUNGv7yhidkZqRzaeZYvQ@mail.gmail.com> <CAP+FsNfswUN-CK6heRGqEnSJatHGo3q2mZZLTrPnjapCZz2sTg@mail.gmail.com> <CABP7RbfDZcRH-0_AaN9iYjPN-v6QjU6_Xdy5o1BHYnDFWHtuAg@mail.gmail.com> <CAK3OfOh0xqZsPYcb0uRLnebKWTKO7ARkJ4joFZoqjiBSTmwBTA@mail.gmail.com> <CABP7Rbeb6MOYmYPhhsKFFtQwE0JxuPyShXY0zpkA5YX2JPSY_w@mail.gmail.com> <CAA4WUYhg2qt_z_TrOAH0ax6mUpYPNeG4x740CgQi5Voq=50K_Q@mail.gmail.com> <20130122212748.GJ30692@1wt.eu> <CAP+FsNfgLBYjn7D5rgTRvPnaRuAi4rNB_E6vXE4b3B=_dtx=-w@mail.gmail.com> <CAP+FsNcm_VBOsbptkLoOQXfgM-xAfYiZuqZusDm2YkoiszUfxA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAP+FsNcm_VBOsbptkLoOQXfgM-xAfYiZuqZusDm2YkoiszUfxA@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-3.059, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1TxmMC-0007L2-29 aa44ba8dbfc912aee7546d82706aa346
X-Original-To: ietf-http-wg@w3.org
Subject: Re: delta encoding and state management
Archived-At: <http://www.w3.org/mid/20130122222945.GN30692@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16119
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Jan 22, 2013 at 01:54:18PM -0800, Roberto Peon wrote:
> The thing that isn't in delta, etc. already is the idea of 'rooting' the
> path space with the single request (which I like, but... it is subject to
> the CRIME exploit if path-prefix grouping is done automatically by the
> browser (instead of being defined by the content-developer)).

I think that if the path-prefix only contains complete path components (not
just some chars), then we're fine with the CRIME attack because in order to
make the browser merge requests, the attacker has to brute-force each path
component's name. Also, as long as it remains a path, it doesn't unveil what
is located behind, which generally contains the most interesting stuff.

> IF we take your proposal for eliminating much of the common-path prefix and
> ensure that it isn't subject to CRIME, that is a winner in any scheme.

Let's face it, the CRIME attack is against optimizations for redundant
elements. We probably need to spend more time analysing all the failures
involved in the attack itself than refraining from optimizing redundancy.
I mean, how a forged request from an attacker slips in the middle of valid
requests and how we can prevent it from being merged, or at least have it
in its own group.

Willy

v2.23.0 | Report a Bug | By Email