You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Section 11.3 talks about message integrity in general terms. The introductory sentence is good, but it then seemingly intermingles several different factors that might be relevant:
Accidental corruption of messages in the network. This is not something that applies to HTTPS, but it is relevant for the cleartext variant.
The use of intermediaries that might not be trusted not to modify messages. Noting here that this is likely selective as intermediaries need to modify certain parts of messages.
Attacks on the protocol, which break down further:
a. Attacks on cleartext HTTP, which has no real defense.
b. Attacks on TLS, which has good defenses on the whole, though less so with respect to truncation of responses. This is due to the way that HTTP/1.1 allows connection termination (which is under attacker influence) to end a response and the way that TLS in practice is really poor at propagating close_notify in a way that is distinguishable from TCP closure.
Overall, I think that this text could be made clearer.
The text was updated successfully, but these errors were encountered:
I didn't want to make this too disruptive, so I concentrated on the high
points. Related to the changes in httpwg#734.
Breakdown:
- integrity is important (existing text)
- HTTPS provides integrity, but you have to be careful with truncation
(includes existing example)
- HTTP provides no integrity
- extensions can be used to provide additional protection, including
managing the risk of intermediaries messing around (massaging existing
text)
Closeshttpwg#726.
Section 11.3 talks about message integrity in general terms. The introductory sentence is good, but it then seemingly intermingles several different factors that might be relevant:
a. Attacks on cleartext HTTP, which has no real defense.
b. Attacks on TLS, which has good defenses on the whole, though less so with respect to truncation of responses. This is due to the way that HTTP/1.1 allows connection termination (which is under attacker influence) to end a response and the way that TLS in practice is really poor at propagating close_notify in a way that is distinguishable from TCP closure.
Overall, I think that this text could be made clearer.
The text was updated successfully, but these errors were encountered: