W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: TLS Renegotiation and HTTP/2 (#363)

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Tue, 1 Apr 2014 15:39:08 +0300
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140401123908.GB866@LK-Perkele-VII>
On Tue, Apr 01, 2014 at 03:26:17PM +0300, Yoav Nir wrote:
> Yoav
> On Apr 1, 2014, at 3:21 PM, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:
> >
> > That looks to be vulernable to forwarding and MITM attacks...
> > 
> Sure, but not more so than regular server-authenticated HTTPS.
> We can get all fancy and tie it to extractors or channel bindings. The question is whether we want just mutual authentication or whether we want to foil MitM attacks and proxies while we’re at it.
> Foiling MitM has the downside (or upside) of making this not work from behind next generation firewalls.
Suppose that user visits a maliscous site. What is to prevent
that site from contacting target site and forwarding
authentication exchange across (with who knows what other
headers and payload)?

Received on Tuesday, 1 April 2014 12:39:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:29 UTC