httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: breach attack
Date Tue, 20 Aug 2013 08:19:09 GMT

Op 12 aug. 2013, om 01:35 heeft Eric Covener <covener@gmail.com> het volgende geschreven:

> 
> > What do you think of including a header? Is there a way to find out
> > from the encrypted traffic where the header ends and where the body
> > starts?
> 
> For a typical request they are in separate SSL records and someone running a packet capture
can tell when the headers or body has grown.  We could arrange for the headers to always span
an SSL record, and put a variable length one at the bottom  -- but that only helps if the
secret and request data are in the first frame.
Not sure - I am fairly sure we nicely cut on headers - and have the (SSL) packets go out at
or very near the end of the header. 

So I guess we'd intentionally would have to sub-optimize this somewhat - or uses some default
chunked/mime-type boundary trickery outside the traditional header instead.

Dw.


Mime
View raw message