Maybe I have a somewhat simplistic view of the issue not having read any
of those papers, but would the obvious solution not be to add dummy
headers to the HTTP request/response?
For example, the client could add an "X-Pad: datadatadatadata" header
with random length data to the request discouraging URL guessing based on
the request message length. The server could do the same for the
response. The big plus is that this is perfectly downwards compatible. A
minus is that you can of course only increase the length of messages this
way, but my understanding of HTTP/1.1 is that you could work around that
by making several requests and using ranges.
As an only partially related note, TLS explicitly allows any apropriate
padding length from 0-255 for block ciphers exactly to avoid attacks
based on message lengths at the record level.
Regards,
Andreas Sterbenz mailto:[EMAIL PROTECTED]
-----Urspr�ngliche Nachricht-----
Von: Gabriel Belingueres <[EMAIL PROTECTED]>
An: <[EMAIL PROTECTED]>
Gesendet: Montag, 06. September 1999 18:18
Betreff: Re: Web Traffic Analysis
> Here I send to you a draft of the protocol, but there are a lot of work
> to do yet.
> Numbers and lengths are drafts too.
>
> Gabriel.
smime.p7s
