W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 1 Oct 2013 16:00:32 +1000
Cc: "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
Message-Id: <06B80849-8384-4540-8825-4C2845049B75@mnot.net>
To: Eliot Lear <lear@cisco.com>

On 01/10/2013, at 3:57 PM, Eliot Lear <lear@cisco.com> wrote:

> That is not what I call a strong indication.  Want to test its
> effectiveness with users?

I'm not disagreeing with you. Then again, it's already possible to perform this attack; the only difference is that the hostname will change (or not, depending on how IRIs are handled, and how creative the attacker is). 

Stronger mitigation is indeed necessary, although I disagree with your characterisation of only having three possible ways forward. 


>> It merely says "http protocol over TLS/SSL." That's what's happening here.
>> 
>> More to the point, this draft is proposing a pretty fundamental change to how URI schemes map to protocols and ports, and so some adjustment of scheme and port semantics ought to be expected. 
> 
> Not to the detriment of TLS.

Of course. We'll need to define that, though.

Regards,

--
Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 1 October 2013 06:01:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC