Re: New Version Notification for draft-nottingham-http2-encryption-00.txt

On 10/1/13 8:00 AM, Mark Nottingham wrote:
> On 01/10/2013, at 3:57 PM, Eliot Lear <lear@cisco.com> wrote:
>
>> That is not what I call a strong indication.  Want to test its
>> effectiveness with users?
> I'm not disagreeing with you. Then again, it's already possible to perform this attack; the only difference is that the hostname will change (or not, depending on how IRIs are handled, and how creative the attacker is). 

This is more.  Here the hostname itself DOESN'T have to change.
Remember, you're dealing with a man in the middle, and so it terminates
one side and establishes a new (ironically authenticated non-relaxed
TLS) connection on the other side.  And the closer the man in the middle
is, the more attacks he can effect, so long as the browser follows the
primitive.
>
> Stronger mitigation is indeed necessary, although I disagree with your characterisation of only having three possible ways forward. 

Oh I imagine there are many ways forward.  Smarter people will surely
come up with something more than what I've suggested.  Heck off the top
of my head I can think of other ways forward, including the use of SSH,
but that doesn't seem to make efficient use of existing code, although
some of the concepts are relevant...

>
>
>>> It merely says "http protocol over TLS/SSL." That's what's happening here.
>>>
>>> More to the point, this draft is proposing a pretty fundamental change to how URI schemes map to protocols and ports, and so some adjustment of scheme and port semantics ought to be expected. 
>> Not to the detriment of TLS.
> Of course. We'll need to define that, though.

And just to be clear, RFC 2818 specifies the use of port 443, and that
clients MUST validate certs, and servers may have that very expectation.

Of course I'm not a fan of relaxed cert checking, but if you're going to
do it, consider some safer alternatives.  For instance, you could just
as easily go with Start-TLS: relaxed as a header and get the same
behavior on the same connection (this also reduces TCP overhead, as a
side effect).  That too is subject to an MITM attack, but at least it
leaves you no worse off than you are today.

Eliot

Received on Tuesday, 1 October 2013 06:20:07 UTC