On Feb 15, 2014, at 12:42 AM, Patrick McManus <pmcmanus@mozilla.com<mailto:pmcmanus@mozilla.com>> wrote:
On Fri, Feb 14, 2014 at 1:56 PM, Salvatore Loreto <salvatore.loreto@ericsson.com<mailto:salvatore.loreto@ericsson.com>> wrote:
To distinguish between an HTTP2 connection meant to transport "https"
URIs resources and an HTTP2 connection meant to transport "http" URIs
resource, the draft proposes to
HTTP/2 doesn't require a connection to transport a consistent scheme as long as the underlying properties of the connection are sufficient for carrying all of the schemes on it. (i.e. you can't carry https:// without a minimum security set, but you can certainly mix https:// and http://)
register a new value in the Application Layer Protocol negotiation
(ALPN) Protocol IDs registry specific to signal the usage of HTTP2
to transport "http" URIs resources: h2clr.
(1) A User-Agent that makes a request to an "http" URI without prior
knowledge about support for HTTP2 uses TLS, with the application
level protocol negotiation extension inserting the h2clr tag, to
start the HTTP2 connection. The Proxy intercepts the TLS
ClientHello analyses the application layer protocol negotiation
extension field and if it contains "h2clr" value it blocks the TLS
ClientHello.
This document describes two alternative methods for an user-agent to
automatically discover and for an user to provide consent for a
Trusted Proxy to be securely involved when he or she is requesting an
HTTP URI resource over HTTP2 with TLS.
This has the effect of signaling to an on path observer which transactions, in a large stream of them, will not be able to detect a MITM interaction. I'm not in favour.
a trusted proxy signals it presence during the first UA attempt to establish an "h2clr" tunnel:
it honestly declares its presence
So it does not do or attempt to do any MITM behaviour.
Of course here it is a matter of trust, that way a UA has the possibility to *opt out* if does not trust
the access network
/Sal
Received on Monday, 17 February 2014 06:56:10 UTC