Re: HTTP router point-of-view concerns
Martin Thomson <martin.thomson@gmail.com> Thu, 11 July 2013 23:34 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8257F11E81CD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 11 Jul 2013 16:34:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.581
X-Spam-Level:
X-Spam-Status: No, score=-10.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gT2VaYB1oCoV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 11 Jul 2013 16:34:24 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 347C411E8136 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 11 Jul 2013 16:34:23 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UxQMf-00013Z-CS for ietf-http-wg-dist@listhub.w3.org; Thu, 11 Jul 2013 23:33:33 +0000
Resent-Date: Thu, 11 Jul 2013 23:33:33 +0000
Resent-Message-Id: <E1UxQMf-00013Z-CS@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1UxQMW-00012k-Ky for ietf-http-wg@listhub.w3.org; Thu, 11 Jul 2013 23:33:24 +0000
Received: from mail-wi0-f173.google.com ([209.85.212.173]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1UxQMW-0002Dx-2n for ietf-http-wg@w3.org; Thu, 11 Jul 2013 23:33:24 +0000
Received: by mail-wi0-f173.google.com with SMTP id hq4so76507wib.0 for <ietf-http-wg@w3.org>; Thu, 11 Jul 2013 16:32:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=myAQU2fCdt4c8LolCS8YnrD5FpzsyAQaEvMcT2vW+VM=; b=bvi22dTHdkPd3+/Del/hKbCQN+uZsy+Sv1ocyNZJeU69Y781/CswF9XxbP48hAU2UH 2Z5kAujPcM3V6cAKXNDzpz0NA5PA4LD9WKcCzVb6znuE+rBqvOBX0hgLEcOuq6iuQ8LA eABDZPJ5DIxaJsLBBNgVce6RCtB+cL8J1Ken5cmKtuN1/NDowyWvow2217INroGekqUu YST6M71u9Y4h/bX35yrYA8oYuSiJvovWdqKkMjnbQg+4NQaDIbst0JE8p4YVmg5YYMLD ze67NAqGo0DXgBgasEKWsD31cWcjtFf7OmHp2My9I/H9i9qNc+WDSQ5A+5gXJFUYmpbc JD+g==
MIME-Version: 1.0
X-Received: by 10.194.78.110 with SMTP id a14mr22587625wjx.84.1373585577812; Thu, 11 Jul 2013 16:32:57 -0700 (PDT)
Received: by 10.194.60.46 with HTTP; Thu, 11 Jul 2013 16:32:57 -0700 (PDT)
In-Reply-To: <CAP+FsNcwaAUbsL4fhmm9bRxYT74BSgH_XmZKdhcW+ge_kW3PMg@mail.gmail.com>
References: <CA+qvzFPUpcm6kUtJx+rTw8Dpp4Gtx4Bmr3XPDhjNsjchUfN9_w@mail.gmail.com> <51DE1E32.9010801@treenet.co.nz> <CAP+FsNdcYhA=V5Z+zbt70b5e7WmcmXgjG5M9L3vfXeXfTwmRnw@mail.gmail.com> <51DE327C.7010901@treenet.co.nz> <CABkgnnXeqD6wh0dcJ1Dz=4PLAJNkDeGcCuzMr9ATd_7xS7nbGQ@mail.gmail.com> <CABP7RbcUkLf3CTAB4jwicnsiKWLGVY6=hX0k=0256SR_gcVt9A@mail.gmail.com> <092D65A8-8CB7-419D-B6A4-77CAE40A0026@gmail.com> <CAP+FsNfpHY-Eai7T+vW01LRPweKmSfVhWO-Tj0ii4wWzX6fwUg@mail.gmail.com> <9AF548E8-D4CD-426B-9F6F-F390476821AA@gmail.com> <CAP+FsNev6zz2VHyj7KTBwHLMagP=n6EOiM_5UFvm13y25Bmx_Q@mail.gmail.com> <21347651-656B-4BA0-9261-830D09DAC883@gmail.com> <CAP+FsNcwaAUbsL4fhmm9bRxYT74BSgH_XmZKdhcW+ge_kW3PMg@mail.gmail.com>
Date: Thu, 11 Jul 2013 16:32:57 -0700
Message-ID: <CABkgnnUbNYUWyf22vEqqo9hxLDuRnPHA=m0c_NWrdy_xJXoY7A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Roberto Peon <grmocg@gmail.com>
Cc: Sam Pullara <spullara@gmail.com>, James M Snell <jasnell@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.212.173; envelope-from=martin.thomson@gmail.com; helo=mail-wi0-f173.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.680, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UxQMW-0002Dx-2n d94af2b412744e5b2d7dec5b3868c817
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP router point-of-view concerns
Archived-At: <http://www.w3.org/mid/CABkgnnUbNYUWyf22vEqqo9hxLDuRnPHA=m0c_NWrdy_xJXoY7A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18714
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 11 July 2013 15:56, Roberto Peon <grmocg@gmail.com> wrote: > Thusfar, the feedback we're received from security experts indicates that it > is comparable to an attack without the compression (i.e. requires > exponential time w.r.t. the size of the plaintext, or comparable to forcing > the use of a brute-force attack). There are, of course, limitations on this. If a particular header is small, it becomes easier to guess. If you were to say, spread a bearer token into small pieces across multiple headers, then you would open yourself up to a CRIME-like attack. That said, the value that an attacker can gain is fairly marginal, and there are ways to mitigate this. The security considerations will, ultimately, expand on these sorts of caveats as our knowledge improves.
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- HTTP router point-of-view concerns Christian Parpart
- Re: HTTP router point-of-view concerns Amos Jeffries
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns Amos Jeffries
- Re: HTTP router point-of-view concerns Christian Parpart
- Re: HTTP router point-of-view concerns Amos Jeffries
- Re: HTTP router point-of-view concerns Michael Sweet
- Re: HTTP router point-of-view concerns Martin Thomson
- Re: HTTP router point-of-view concerns James M Snell
- Re: HTTP router point-of-view concerns Sam Pullara
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns Amos Jeffries
- Re: HTTP router point-of-view concerns Sam Pullara
- Re: HTTP router point-of-view concerns Patrick McManus
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns James M Snell
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns James M Snell
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns Sam Pullara
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns Martin Thomson
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Mark Nottingham
- Re: HTTP router point-of-view concerns Mike Belshe
- Re: HTTP router point-of-view concerns Gábor Molnár
- Re: HTTP router point-of-view concerns Gábor Molnár
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Michael Sweet
- Re: HTTP router point-of-view concerns Christian Parpart
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Patrick McManus
- Re: HTTP router point-of-view concerns Jeff Pinner
- Re: HTTP router point-of-view concerns Martin Thomson
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns Ludin, Stephen
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns James M Snell
- Re: HTTP router point-of-view concerns Amos Jeffries
- Re: HTTP router point-of-view concerns Amos Jeffries
- Re: HTTP router point-of-view concerns Roberto Peon
- Re: HTTP router point-of-view concerns Yoav Nir
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Sam Pullara
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Mark Delany
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Yoav Nir
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Yoav Nir
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Stephen Farrell
- Re: HTTP router point-of-view concerns Willy Tarreau
- Re: HTTP router point-of-view concerns Sam Pullara
- Re: HTTP router point-of-view concerns Nicolas Mailhot
- Re: HTTP router point-of-view concerns Nicolas Mailhot
- Re: HTTP router point-of-view concerns Nicolas Mailhot
- Re: HTTP router point-of-view concerns Martin Nilsson
- Re: HTTP router point-of-view concerns Nico Williams
- Re: HTTP router point-of-view concerns Nico Williams
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Nico Williams
- Re: HTTP router point-of-view concerns Poul-Henning Kamp
- Re: HTTP router point-of-view concerns Nico Williams