which compression protocol/algorithm SPDY 4 is using?

[Gang Wu]

Hi,

Does any one know which compression protocol/algorithm SPDY 4 is using?

and is there a way I can force enable SPDY 4 on my https communication?(like set some fields "protocol:SPDY4" in http request header to enable it)

--

Thanks,

Gang

[Ryan Hamilton]

SPDY/4 never really existed. Instead, what we called SPDY/4 was really HTTP/2. (Or rather, as HTTP/2 progressed, the "SPDY/4" code in Chromium simply implemented HTTP/2). HTTP/2 is negotiated via ALPN (or NPN until we remove it) as part of the TLS handshake. As far as compression, if you are referring to the compression of HTTP headers, it uses HPACK, as specified by the HTTP/2 RFC. 

Cheers,

Ryan

--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACTaC%3D%3DOV%2BtDo2%2BPWYtP677U7iS25LqjTpdUBa3VvAaouY2f7w%40mail.gmail.com.

[Gang Wu]

Thanks, Ryan!

I am asking this because we are Chrome-sync team, currently, we are thinking about compressed sync data between sync client and sync server.

The problem is, gzip + https will cause CRIME. After talk with Thai, he recommended that SPDY/4 's compression algorithm is safe, that's why I ask question originally.

and during my previous email question, I found "User-agents MUST support gzip compression. Regardless of the Accept-Encoding sent by the user-agent, the server may always send content encoded with gzip or deflate encoding." from https://www.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3-1#TOC-3.2.1-Request

so, I have 2 questions now,

1. Is there some library I can use to compress and uncompress the HPACK(like gzip, we have zlib in thirdparty folder)?

2. since SPDY/3.1 will force to use gzip. but gzip is not safe for CRIME, is there some way that can let server(GFE) using HPACK not gzip?

Anyone knows?

Thanks,

Gang 

--

Thanks,

Gang

[Ryan Hamilton]

Thanks for the context. This brings up a few points.

SPDY (and now HTTP/2) perform automatic compression of headers. The CRIME attack revealed that it was possible for attackers to discover cookies from such compressed headers. HTTP/2 uses HPACK which is not vulnerable to this attack and a since SPDY/3.1 is deprecated and will be removed from Chrome in the near future, you should definitely use HTTP/2, which can be negotiated via NPN or ALPN during the TLS handshake. That being said, Chrome's SPDY/3.1 gzip implementation has been modified to protect against this attack.

Of course, I suspect the compressing the request/response body is probably more important to you than compressing headers. Neither HTTP/2 nor SPDY/3.1 will do this automatically. (Though earlier versions of SPDY did have this capability, it was never implemented in Chrome, as far as I know).

If you want a library for simply compressing/decompressing HPACK headers, you might want to look at the code in Chromium's net/spdy/ repository.

Cheers,

Ryan