Re: Stephen Farrell's Discuss on draft-ietf-httpbis-cice-02: (with DISCUSS)
Julian Reschke <julian.reschke@gmx.de> Fri, 04 September 2015 15:08 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2941A87C1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 4 Sep 2015 08:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 289n2qHaQz0n for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 4 Sep 2015 08:08:05 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59C981A8706 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 4 Sep 2015 08:08:05 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZXsYC-00025P-TJ for ietf-http-wg-dist@listhub.w3.org; Fri, 04 Sep 2015 15:05:12 +0000
Resent-Date: Fri, 04 Sep 2015 15:05:12 +0000
Resent-Message-Id: <E1ZXsYC-00025P-TJ@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <julian.reschke@gmx.de>) id 1ZXsY7-00024Z-LB for ietf-http-wg@listhub.w3.org; Fri, 04 Sep 2015 15:05:07 +0000
Received: from mout.gmx.net ([212.227.17.21]) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <julian.reschke@gmx.de>) id 1ZXsY4-0006T7-Qd for ietf-http-wg@w3.org; Fri, 04 Sep 2015 15:05:06 +0000
Received: from [192.168.1.158] ([217.91.35.233]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0LvlWS-1YbTZs424S-017TpR; Fri, 04 Sep 2015 17:04:33 +0200
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Mark Nottingham <mnot@mnot.net>
References: <20150902153943.26198.21461.idtracker@ietfa.amsl.com> <9F69E58B-58CA-48BB-AFBE-01E50840512C@mnot.net> <55E79BD0.4030707@cs.tcd.ie> <55E80971.9070905@greenbytes.de> <55E8172B.4030203@cs.tcd.ie>
Cc: ietf-http-wg@w3.org, The IESG <iesg@ietf.org>, Mark Nottingham <mnot@pobox.com>
From: Julian Reschke <julian.reschke@gmx.de>
Message-ID: <55E9B300.2070702@gmx.de>
Date: Fri, 04 Sep 2015 17:04:32 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <55E8172B.4030203@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:HTknCGrb5aqEGgAgtTM4TzVQMWOAXqRlZGeVRvMjXdaLcP6OXh5 SYGpHmOdP4XDqu5B1HYwUAqYncdko9PhzDH7/PJbKuuxtBYuXKqV59KHuKMMrStIt69frBU Xszml2CuibyPUBOZSQax6tOr8jeCSE7h59PxPND11Bh4uiPcGqvmW0q4iwiUNQDxLzmgTW9 9bcWE8mlDddxeKSoH/q4g==
X-UI-Out-Filterresults: notjunk:1;V01:K0:p4Nszg2Do6s=:9dY7SW+fv7drpTY8YRbzWc wBIgqFD6gwAW9k2LllDP8ZPtwrJVXu4/SXwi+rj8qyNHQ+zchQRThaOWlnDrbBs8bjhCuPoEZ hFhCTJ8jZsIqjgt7kLlhqau6oRFSbtoDtPzjHoDoHl436fQQ3QPPIeS+/+tqrRmsELLSg3tXm S9U8AmiYt9pvW3G39mdrKhDpPoyf3+OIgPAAM5+sRzmM3Urj0QWyIgOJRXuWbq/qO288Wh+cU 3tZQ0G52b5tZ5ZymyZ3TXfzARxwThh7R9OgtRu9wjq7npHrs3YuetiKr9DwqoNEQwifU6FrOu J3fttQNMeBZb92zPer28lIHVoDoryNQYPMBppRr88aQZVuga8Lkj3nWnm8X0UN6UZKTtqvcvs bba/qsbVpGK5kjy3f08/Pa5YcOY6KCHAVvgfJtNWJe8tV4t6i82tfjzFKG3l2u0VxZAos/rNw Ae9dBQn7yzlhH2K5h9bGmw7g5k/1HTITIGiAyXZcWw9q+VEfBldv7XuQOVWPPVoZZctlHQFtG unw2h13ukTLuVFEg1l0ieQsiZC/NuFe+BzevCAO+adMLbdzf279PvtCCffOXhnldpWulLcnGz Jf0tWw/sNTAxtoHcc2Zo0LQiwIuWoBn94DQYXTZPpkHQdzXZAW9DzeBlXRqJ7ZN1C6ESKUNNf xJ5rvdOGvceH6v29JITHZtFJQPZYw0WiiqiZj4/O5dfbuQPJpRxY/9pd+/i7lG3t35qgCqx6K 7WOYwBp5YrqAVAALGv4UoGJ3/lO6Od0qWVQSRA==
Received-SPF: pass client-ip=212.227.17.21; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-8.1
X-W3C-Hub-Spam-Report: AWL=1.455, BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1ZXsY4-0006T7-Qd 5e8d60925e1e849bed099470e7c14ee8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Stephen Farrell's Discuss on draft-ietf-httpbis-cice-02: (with DISCUSS)
Archived-At: <http://www.w3.org/mid/55E9B300.2070702@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30178
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 2015-09-03 11:47, Stephen Farrell wrote: > ... >>> But more importantly, yes, I'm asking about the kind of analysis >>> that lead to the section 10.6 you point at. >> >> There was no analysis because the use of compression in this >> client->server direction really really isn't new at all. > > Hmmm. > > S. Right now we have: > 6. Security Considerations > > This specification does not introduce any new security considerations beyond those discussed in Section 9 of [RFC7231]. ...so that's clearly not helping. How about: "This specification introduces only discovery of supported content codings and diagnostics for requests failing due to unsupported content codings. As such, it doesn't introduce any new security considerations over those already present in HTTP/1.1 (see Section 9 of [RFC7231]) and HTTP/2 (Section 10 of [RFC7540]). However, the point of better discoverability and diagnostics is to make it easier to use content codings in requests. This might lead to increased usage of compression codings such as gzip (Section 4.2.3 of [RFC7230]), which, when used over a secure channel, can be subject to compression side-channel attacks such as BREACH (Section 10.6 of [RFC7540], [BREACH]). At the time of publication, it was unclear how BREACH-like attacks can be applied to compression in HTTP requests." Best regards, Julian
- Stephen Farrell's Discuss on draft-ietf-httpbis-c… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Julian Reschke
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Julian Reschke
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Julian Reschke
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Julian Reschke
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham