On Sat, Nov 28, 2015 at 10:05 AM, Roland Zink <rol...@zinks.de> wrote:
> Am 28.11.2015 um 17:56 schrieb Henrick Hellström: > >> AFAIK, HTTP 1.1 browsers typically don't send a new request over an open >> connection, before it has received the response to the previous request. If >> that is the case, it is trivial to get the message lengths from the >> traffic, with or without encrypted TLS record headers. IOW you gain nothing >> by encrypting the length fields. >> >> I think this is what browsers do by default. For HTTP2 this should be > different. This is HTTP/1.1 pipelining, which is supported by most browsers but typically disabled by default as most servers don't support pipelining correctly. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls