W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

2.2. Interaction with "https" URIs | Re: Op-sec simplification

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Tue, 1 Nov 2016 19:22:02 +0200 (EET)
To: HTTP working group mailing list <ietf-http-wg@w3.org>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Martin Thomson <martin.thomson@gmail.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Message-Id: <20161101172202.BE19F12310@welho-filter1.welho.com>
> | https://github.com/httpwg/http-extensions/pull/254
> | 
> | The main changes:
> | 
> |  - the .well-known resource is a flat list of origins
> 
> ( no comment about that yet. )
> 

On earlier version there was concern that if
same connection was used both on "http" 
and "https" scheme then these are
confused by server.

Therefore there was requirement that clients must 
not send "http" requests on a connection that would
ordinarily be used for "https" requests.

There was  "mixed-scheme" flag what disabled that
requirement.

Now there is no that requirement:

https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-08#section-2.2

| 2.2.  Interaction with "https" URIs
|
|   When using alternative services, requests for resources identified by
|   both "http" and "https" URIs might use the same connection, because
|   HTTP/2 permits requests for multiple origins on the same connection.
|   Because of the potential for server confusion about the scheme of
|   requests (see Section 4.4), clients MUST NOT send "http" requests on
|   a connection prior to successfully retrieving a valid http-
|   opportunistic resource that contains the origin (see Section 2.3).
|   The primary purpose of this check is to provide a client with some
|   assurance that a server understands this specification and has taken
|   steps to avoid being confused about request scheme.

What is wanted ?  Options

	• No concern; that check that http://{...}/.well-known/http-opportunistic
          succeed tells enough that there is no confusion

        • Forbid using same connection for "http" requests
	  which would ordinarily be used for "https" requests.

	• Forbid using same connection for "http" requests
          which would ordinarily be used for "https" requests
	  but allow it if there is "mixed-scheme" -member (or
	  some other flag).

        • Forbid using same connection for "http" requests
	  which would ordinarily be used for "https" requests
	  unless same connection which was tested
	  for http://{...}/.well-known/http-opportunistic
	  are also after that tested:

		∘ That https requests for /.well-known/http-opportunistic
		  on same host {...} does not return same object

		∘ Note that if that test fails, then that connection
		  is no longer be good for http requests either.
		
/ Kari Hurtta
Received on Tuesday, 1 November 2016 17:22:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 November 2016 17:22:40 UTC