Re: Comments about draft-ietf-httpbis-http2-16 : Connection reuse

On Sun, Jan 4, 2015 at 11:29 AM, Aeris <aeris@imirhil.fr> wrote:

> But on our way, I sense connection reuse can ease MITM or downgrade attack.
> You « just » have to poison the DNS to match the target IP and send a A
> content with weak TLS parameters and request targeted content B from A to
> force TLS parameters to what you want for the B content fetching.
>

In your example, host A has a valid certificate for host B, but is
configured to have weaker security configuration than host B. Is that
right? If so, then your DNS poisoning attack works just fine with HTTP/1.1,
so HTTP/2 does not make it worse.

Received on Sunday, 4 January 2015 23:54:09 UTC