On Mon, Feb 17, 2014 at 1:55 AM, Salvatore Loreto < salvatore.loreto@ericsson.com> wrote: > > On Feb 15, 2014, at 12:42 AM, Patrick McManus <pmcmanus@mozilla.com> > wrote: > > > On Fri, Feb 14, 2014 at 1:56 PM, Salvatore Loreto < > salvatore.loreto@ericsson.com> wrote: > >> >> To distinguish between an HTTP2 connection meant to transport "https" >> URIs resources and an HTTP2 connection meant to transport "http" URIs >> resource, the draft proposes to >> >> > HTTP/2 doesn't require a connection to transport a consistent scheme as > long as the underlying properties of the connection are sufficient for > carrying all of the schemes on it. (i.e. you can't carry https:// without > a minimum security set, but you can > > This has the effect of signaling to an on path observer which > transactions, in a large stream of them, will not be able to detect a MITM > interaction. I'm not in favour. > > > a trusted proxy signals it presence during the first UA attempt to > establish an "h2clr" tunnel: > it honestly declares its presence > So it does not do or attempt to do any MITM behaviour. > you're focused on the device you envision deploying. what about a traditional MITM attacker (i.e something not adhering to your draft)? secondly, any interception proxy - especially those terminating flows not addressed to them - is a MITM - almost tautologically so. Perhaps not an attacker - maybe a frenemy - but definitely a MITM.
Received on Monday, 17 February 2014 14:01:16 UTC