W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: AD review of draft-ietf-httpbis-alt-svc-10

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 4 Feb 2016 11:45:31 +1100
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Mike Bishop <Michael.Bishop@microsoft.com>, Barry Leiba <barryleiba@computer.org>, "draft-ietf-httpbis-alt-svc@ietf.org" <draft-ietf-httpbis-alt-svc@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <DF5ACE2B-FAD4-4B43-B140-B0939641C67D@mnot.net>
To: "Julian F. Reschke" <julian.reschke@gmx.de>

> On 4 Feb 2016, at 12:12 am, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 2016-01-15 04:27, Mark Nottingham wrote:
>> In some side discussions, I've come across other people who are unhappy with this state of affairs, so I don't think you're alone. I'll leave it up to them to decide how to participate here.
>> To be explicit -- we are opening up a potential same machine attack (specifically, someone on a shared HTTP server who has the ability to both add response headers -- such as with .htaccess or a CGI script -- and listen to another port (possibly, ANY port) on the same box can then hijack traffic intended for other users.
>> The motivation for doing so is to enable the HTTP Opportunistic Security specification, which offers weak protection against pervasive monitors, but is vulnerable to active attackers, and doesn't improve Web security in other (and important) ways that HTTPS does. We have only one implementation of that specification in a browser, and no sign that it will be adopted by others.
>> Is this a reasonable tradeoff? We are planning to publish this is Experimental, so the question might also be "is this a responsible experiment to run?"
>> Cheers,
> I opened <https://github.com/httpwg/http-extensions/issues/139> to track this.
> Best regards, Julian

Mark Nottingham   https://www.mnot.net/
Received on Thursday, 4 February 2016 00:46:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC