Avoid tracking bits in Alt-Svc quic= parameter #1081
Comments
|
Note that the greasing point is moot. No implementation should ever consider itself to understand one of the reserved versions. |
|
Mostly resolved by #1097, which requires the client to drop reserved versions. |
mnot
added
the
design
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If a server sends an Alt-Svc entry that nominates a QUIC version that doesn't actually exist and the client goes with it, there's a tracking risk. The client should never propose a valid version that it doesn't speak, so this isn't 32 bits of tracking, but if the server sends something in the grease range, the client knows it's okay that it doesn't speak it. You still get 16 bits of persistent ID this way.
This can probably be avoided by adding a requirement that the client only use versions from the list that it speaks, and that if it decides to grease it MUST generate its own grease version.
The text was updated successfully, but these errors were encountered: