W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: Alt-Svc: alternatives assigned by alternatives

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 19 Aug 2014 10:32:52 -0700
Message-ID: <CABkgnnXMRufX7sQn0gWwEwymhXD_PSyF=BM9dZ+kkcN5z4zQxQ@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 19 August 2014 06:37, Patrick McManus <mcmanus@ducksong.com> wrote:
> I think the strongest argument in favor of scoping who can update a alt-svc
> is that a MITM attacker can attack you once and then capture your traffic in
> perpetuity without having to perform another attack against the original
> origin by updating the value.

I think that we have a good way out on that.
http://http2.github.io/http2-spec/alt-svc.html#caching says to
re-examine alternative services when you change network attachment.
That avoids the most egregious attacks.

I'll note that in general, once an origin is poisoned, that isn't
something that can be recovered easily anyway.  Caching lifetimes are
quite long, and other persistent storage is basically never removed.
So if you are concerned about a one time breach causing long-term
damage, that's already a state that we have to deal with.  Not that
that is a particularly gratifying argument, but it might put the
problem into perspective.

> So I favor allowing any host authoritative for a transaction to also update the
> corresponding alt-svc value.

I think that this is the right answer.
Received on Tuesday, 19 August 2014 17:33:20 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:10 UTC