W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: Upgrade status for impl draft 1

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 28 Feb 2013 21:06:38 +1300
Message-ID: <512F100E.9080204@treenet.co.nz>
To: Eliot Lear <lear@cisco.com>
CC: ietf-http-wg@w3.org
On 28/02/2013 8:31 p.m., Eliot Lear wrote:
> On 2/28/13 6:58 AM, Amos Jeffries wrote:
>
>> Can we take a step back folks and outline _exactly_ what it is that
>> needs protecting here?
>>
>>   - the datum responded by DNS?
>>   - the HTTP channel?
>>
> The case we're talking about is where http://www.example.com:8080 and
> https://www.example.com:4343 have the exact same content and services.
> You don't want a man in the middle to be able to force clients to 8080
> when a more secure encrypted service is advertised.  One simple way
> around this is not to have 8080 available for this purpose.  Otherwise,
> you want to ensure the information you are getting from the DNS is
> accurate and complete.  DNSSEC provides that capability.
>
> Eliot

Fine. MITM have easy access to DNS to learn these details, same as the 
client does. All they will do is intercept the HTTPS channel and answer 
it from fetches sent to 8080, same as they do today. Status Quo.

My point was the only actual gain to be made is that DNS interceptors 
(dnsmasq and similar tools) are hindered by the DNSSEC stage. You get 
the same beneft from DNSSEC signing the A/AAAA records on a plain old 
HTTP/1.x connection. TCP interceptors hit the channel portion at the 
packet level and DNSSEC will not fix that.

Unless you start talking about making the TLS layer actually chain the 
security trust from DNSSEC down to the server TLS certificate the whole 
client trust system will still be vulnerable to HTTPS interceptors even 
if both are used.

Amos
Received on Thursday, 28 February 2013 08:07:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 28 February 2013 08:07:17 GMT