- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 19 Aug 2014 10:32:52 -0700
- To: Patrick McManus <mcmanus@ducksong.com>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 19 August 2014 06:37, Patrick McManus <mcmanus@ducksong.com> wrote: > I think the strongest argument in favor of scoping who can update a alt-svc > is that a MITM attacker can attack you once and then capture your traffic in > perpetuity without having to perform another attack against the original > origin by updating the value. I think that we have a good way out on that. http://http2.github.io/http2-spec/alt-svc.html#caching says to re-examine alternative services when you change network attachment. That avoids the most egregious attacks. I'll note that in general, once an origin is poisoned, that isn't something that can be recovered easily anyway. Caching lifetimes are quite long, and other persistent storage is basically never removed. So if you are concerned about a one time breach causing long-term damage, that's already a state that we have to deal with. Not that that is a particularly gratifying argument, but it might put the problem into perspective. > So I favor allowing any host authoritative for a transaction to also update the > corresponding alt-svc value. I think that this is the right answer.
Received on Tuesday, 19 August 2014 17:33:20 UTC