RE: #612: 9.2.2 and ALPN from Albert Lunde on 2014-11-12 (ietf-http-wg@w3.org from October to December 2014)

From: Albert Lunde <atlunde@panix.com>
Date: Wed, 12 Nov 2014 07:39:26 -0600
To: "'HTTP Working Group'" <ietf-http-wg@w3.org>
Message-ID: <00a201cffe7e$148b6d90$3da248b0$@panix.com>

>I assume that there is an implied:

>BAD = peer MAY fallback to h1 (if able to influence ALPN protocol selection)

>and that will not be seen as a downgrade attack (or at least and acceptable one).

So long as  some servers treat HTTP/1.1 and HTTP/2.0 as interchangeable, retrying requests as HTTP/1.1 could constitute a downgrade attack

 

In other news, on the hopeful side, Microsoft just back-ported TLS 1.2  GCM ciphers to more OS platforms while fixing a  SChannel bug





 



-- 

Greg Wilkins <gregw@intalio.com>  @  Webtide - an Intalio subsidiary
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Wednesday, 12 November 2014 13:39:51 UTC