W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: new version trusted-proxy20 draft

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Mon, 17 Feb 2014 09:00:44 -0500
Message-ID: <CAOdDvNrfHDdvwEMRdzMjuedN2OpCnwSyxeERVe-p6y9e-o6Wow@mail.gmail.com>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>, GUS BOURG <gb3635@att.com>
On Mon, Feb 17, 2014 at 1:55 AM, Salvatore Loreto <
salvatore.loreto@ericsson.com> wrote:

>
>  On Feb 15, 2014, at 12:42 AM, Patrick McManus <pmcmanus@mozilla.com>
> wrote:
>
>
> On Fri, Feb 14, 2014 at 1:56 PM, Salvatore Loreto <
> salvatore.loreto@ericsson.com> wrote:
>
>>
>>   To distinguish between an HTTP2 connection meant to transport "https"
>>   URIs resources and an HTTP2 connection meant to transport "http" URIs
>>   resource, the draft proposes to
>>
>>
>  HTTP/2 doesn't require a connection to transport a consistent scheme as
> long as the underlying properties of the connection are sufficient for
> carrying all of the schemes on it. (i.e. you can't carry https:// without
> a minimum security set, but you can
>
>  This has the effect of signaling to an on path observer which
> transactions, in a large stream of them, will not be able to detect a MITM
> interaction. I'm not in favour.
>
>
>  a trusted proxy signals it presence during the first UA attempt to
> establish an "h2clr" tunnel:
> it honestly declares its presence
> So it does not do or attempt to do any MITM behaviour.
>

you're focused on the device you envision deploying. what about a
traditional MITM attacker  (i.e something not adhering to your draft)?

secondly, any interception proxy - especially those terminating flows not
addressed to them - is a MITM - almost tautologically so. Perhaps not an
attacker - maybe a frenemy - but definitely a MITM.
Received on Monday, 17 February 2014 14:01:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC