Drew DeVault via plug on 21 Sep 2019 18:56:36 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The lock down?! Uhh.. why?

On Fri Sep 20, 2019 at 3:21 PM prushik--- via plug wrote:
> This assumes that each file is downloaded in a seperate connection,
> which I doubt is the case. Popularity of HTTP 1.1 is probably in part
> do to the fact that it fixes this, making TLS more secure and
> mitigating the performance overhead.

Even with HTTP 1.1, I'm sure timing attacks are trivial for separating
out the individual requests. It would be more difficult with HTTP 2 but
I think we're still several years out from seeing broad adoption across

Other distros don't have a herd of starry-eyed programmers implementing
every RFC they can get their grubby hands on, either. Outside of Debian
I would be surprised to see HTTP 1.1 persistent connections being used.
My distro of choice, Alpine Linux, definitely does not use them. A quick
survey of pacman shows that it shells out to curl for every request,
which is convenient because you can replace curl with an arbitrary
command to fetch over some other transport.
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug