W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: draft-nottingham-httpbis-origin-frame

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 15 Mar 2016 09:59:59 +1100
Message-ID: <CABkgnnVQLWo0=VXQSLNNNxGnYEC4Lnqtj2Q2ReYjWKP5D+1Ogw@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 15 March 2016 at 04:40, Patrick McManus <pmcmanus@mozilla.com> wrote:
> The DNS restriction of 7540 is really about sane routing of requests to the
> right server by getting an opt-in that indicates configuration. Its not
> really about security - DNS is not really part of the security model.


I 99% agree.  The other 1% is reserved for a minor concern about the
way the security model interacts with the rest of the system.

When a URL becomes known to a client, it then seeks out a server that
can serve that authority.  RFC 7540 didn't fundamentally change that
by allowing coalescing: the same process was followed, we just allowed
certain steps to be merged with work already done.

However, this would skip the DNS step entirely.  That's not bad,
because we don't rely on it for any sort of security property.
However... it does allow for some interesting capture scenarios.

For example, if I were able to steal a certificate for a few
interesting names, I would only have to capture a connection toward a
single one of those names in order to effectively intercept all
requests to those names.  With Alt-Svc, I would be able to continue
that capture as long as the theft remained viable.  With Mike's
additional certs, it's possible to use different stolen certificates.

It's a small concern, because I think that the risk is small in
comparison to the potential gain, but I don't think that this is
something that we can reasonably ignore.
Received on Monday, 14 March 2016 23:00:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC