On Tue, Sep 06, 2011 at 10:05:48PM +0100, Stephen Farrell wrote:
Hi Richard,
On 09/06/2011 06:57 PM, Richard L. Barnes wrote:
IMO, this is a pretty strong argument against masking, given how low the
observed rate of buggy intermediaries is (~0.0017%) and how high the
observed rate of malware propagation is.
I'm not sure what you're comparing there. Can you elaborate?
In fact, I'm not sure I get the malware argument. Malware
authors are also free to obfuscate or mask their stuff,
when both sides of the conversation but not the intermediaries
are controlled as would be the case here. Or maybe I'm
missing something?
No you're not missing anything, some malware even communicate
via micro-messaging such as twitter nowadays, this is plain
valid HTTP !
I personally think the masking thing is pretty ugly. But I
have to (reluctantly) admit I think it does what its
supposed to do. At this stage I think it comes down to
either doing the masking or not using port 80.
Indeed. Also the masking is optional in the protocol but defined
as mandatory in clients. So some special applications might very
well not implement it at all and some day it's very likely that
we'll get rid of it by default, just like the web doesn't work
well if you omit to post a Host header today.
Regards,
Willy
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf