Re: Fwd: New Version Notification for draft-nottingham-http2-encryption-00.txt

Hi Mark,


Section 3.3 of your draft does not properly characterize a substantial
security consideration:

If a browser has a primitive that says, “relax your certificate
inspection when you connect on port xyz”, then an insertion attack can
be made not just against those sites that intend to use the header, but
for any site on the Internet, including those sites that have valid
certificates, thus substantially damaging the existing TLS deployment.

Consider the following snippet going into the MITM:

<a href="https://bankofeliot.com/login">Click Here To Login</a>

and coming out:

Alt-svc: http2-tls-relaxed=:443
{...}

<a href="http://bankofeliot.com/login:443">Click Here To Login</a>

Worse, the server has no notion that the browser hasn't validated the
certificate.

  The mitigations for this attack are, as far as I can tell:

1.  Do not have the primitive in the browser;
2.  Only upgrade on the existing connection;
3.  Use a DNS record instead that is signed and can be validated (I
don't know if this is a complete mitigation).

My suggestion is (2) or (3) if you're looking for OE.

Finally, using port 443 in the example conflicts with TLS and the
assignment as articulated in RFC 2818.

Eliot

Received on Tuesday, 1 October 2013 05:01:35 UTC