W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: new version trusted-proxy20 draft

From: Salvatore Loreto <salvatore.loreto@ericsson.com>
Date: Mon, 17 Feb 2014 06:55:46 +0000
To: Patrick McManus <pmcmanus@mozilla.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>, GUS BOURG <gb3635@att.com>
Message-ID: <ADDC3F82-3CE3-48C9-8765-7956DB4AF5EF@ericsson.com>

On Feb 15, 2014, at 12:42 AM, Patrick McManus <pmcmanus@mozilla.com<mailto:pmcmanus@mozilla.com>> wrote:


On Fri, Feb 14, 2014 at 1:56 PM, Salvatore Loreto <salvatore.loreto@ericsson.com<mailto:salvatore.loreto@ericsson.com>> wrote:

  To distinguish between an HTTP2 connection meant to transport "https"
  URIs resources and an HTTP2 connection meant to transport "http" URIs
  resource, the draft proposes to


HTTP/2 doesn't require a connection to transport a consistent scheme as long as the underlying properties of the connection are sufficient for carrying all of the schemes on it. (i.e. you can't carry https:// without a minimum security set, but you can certainly mix https:// and http://)


     register a new value in the Application Layer Protocol negotiation
     (ALPN) Protocol IDs registry specific to signal the usage of HTTP2
     to transport "http" URIs resources: h2clr.


(1)  A User-Agent that makes a request to an "http" URI without prior
      knowledge about support for HTTP2 uses TLS, with the application
      level protocol negotiation extension inserting the h2clr tag, to
      start the HTTP2 connection.  The Proxy intercepts the TLS
      ClientHello analyses the application layer protocol negotiation
      extension field and if it contains "h2clr" value it blocks the TLS
      ClientHello.

  This document describes two alternative methods for an user-agent to
  automatically discover and for an user to provide consent for a
  Trusted Proxy to be securely involved when he or she is requesting an
  HTTP URI resource over HTTP2 with TLS.


This has the effect of signaling to an on path observer which transactions, in a large stream of them, will not be able to detect a MITM interaction. I'm not in favour.

a trusted proxy signals it presence during the first UA attempt to establish an "h2clr" tunnel:
it honestly declares its presence
So it does not do or attempt to do any MITM behaviour.
Of course here it is a matter of trust, that way a UA has the possibility to *opt out* if does not trust
the access network

/Sal
Received on Monday, 17 February 2014 06:56:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC