Re: new version trusted-proxy20 draft

On Fri, Feb 14, 2014 at 1:56 PM, Salvatore Loreto <
salvatore.loreto@ericsson.com> wrote:

>
>   To distinguish between an HTTP2 connection meant to transport "https"
>   URIs resources and an HTTP2 connection meant to transport "http" URIs
>   resource, the draft proposes to
>
>
HTTP/2 doesn't require a connection to transport a consistent scheme as
long as the underlying properties of the connection are sufficient for
carrying all of the schemes on it. (i.e. you can't carry https:// without a
minimum security set, but you can certainly mix https:// and http://)


     register a new value in the Application Layer Protocol negotiation
>      (ALPN) Protocol IDs registry specific to signal the usage of HTTP2
>      to transport "http" URIs resources: h2clr.
>

(1)  A User-Agent that makes a request to an "http" URI without prior
      knowledge about support for HTTP2 uses TLS, with the application
      level protocol negotiation extension inserting the h2clr tag, to
      start the HTTP2 connection.  The Proxy intercepts the TLS
      ClientHello analyses the application layer protocol negotiation
      extension field and if it contains "h2clr" value it blocks the TLS
      ClientHello.


>   This document describes two alternative methods for an user-agent to
>   automatically discover and for an user to provide consent for a
>   Trusted Proxy to be securely involved when he or she is requesting an
>   HTTP URI resource over HTTP2 with TLS.
>
>

This has the effect of signaling to an on path observer which transactions,
in a large stream of them, will not be able to detect a MITM interaction.
I'm not in favor.

Received on Friday, 14 February 2014 22:43:06 UTC