

HTTP Pipelining: Security risk without real performance benefits - lmacvittie
http://devcentral.f5.com/weblogs/macvittie/archive/2009/04/02/http-pipelining-a-security-risk-without-real-performance-benefits.aspx

======
cperciva
The author doesn't understand HTTP pipelining, and is drawing completely
incorrect conclusions as a result.

First, the fact that HTTP requests are pipelined _in the network_ doesn't mean
that HTTP requests have to be pipelined _in the server_. HTTP server support
for pipelining can be as simple as "be aware that there may be more requests
sitting in the receive buffer after the one we're currently reading", and in
most situations (where the time it takes to service a request is far less than
internet RTT) this alone provides a huge speedup.

In fact, I'm not aware of _any_ HTTP servers actually processing pipelined
requests in parallel.

HTTP Pipelining is not intended to do anything to mitigate server request-
handling latency. It's all about cutting out network RTTs, and if you have to
download hundreds of small files (e.g., small images on a web page) it does
this very well.

------
kiwidrew
Summary: HTTP pipelining isn't relevant any longer because we're all on
broadband. Because the server has to send out the responses in the order that
the original requests were received, the server may need to buffer a response
if it is ready before the previous responses have been sent. Thus a malicious
client could request a page which takes a long time to generate (e.g. a
complex database query) followed by 99 other requests (as there is a limit of
100 requests in a single pipeline) and force the server to buffer the final 99
responses until the first request has completed.

Basically, the author rants about pipelining being useless (even though it's
quite useful in practice, particularly when serving static content from a
separate domain) and then tries to claim that a minor denial-of-service attack
is a huge security risk and that this is justification for not using
pipelining.

~~~
cperciva
_force the server to buffer the final 99 responses until the first request has
completed._

Except that most or all servers won't generate the final 99 responses until
the first request has completed... in fact, most or all servers won't even
read the final 99 requests until the first request has completed.

