W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 1 Oct 2013 16:00:32 +1000
Cc: "ietf-http-wg@w3.org WG" <ietf-http-wg@w3.org>
Message-Id: <06B80849-8384-4540-8825-4C2845049B75@mnot.net>
To: Eliot Lear <lear@cisco.com>

On 01/10/2013, at 3:57 PM, Eliot Lear <lear@cisco.com> wrote:

> That is not what I call a strong indication.  Want to test its
> effectiveness with users?

I'm not disagreeing with you. Then again, it's already possible to perform this attack; the only difference is that the hostname will change (or not, depending on how IRIs are handled, and how creative the attacker is). 

Stronger mitigation is indeed necessary, although I disagree with your characterisation of only having three possible ways forward. 

>> It merely says "http protocol over TLS/SSL." That's what's happening here.
>> More to the point, this draft is proposing a pretty fundamental change to how URI schemes map to protocols and ports, and so some adjustment of scheme and port semantics ought to be expected. 
> Not to the detriment of TLS.

Of course. We'll need to define that, though.


Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 1 October 2013 06:01:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:18 UTC