- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 01 Apr 2015 14:41:03 +1300
- To: ietf-http-wg@w3.org
On 1/04/2015 11:03 a.m., ChanMaxthon wrote: > Maybe I missed out that and abused Server header, but the gist is still there: in the first request if cached information is not available, which is plain HTTP/1.1, the server advertises its availability of HTTP/2 capabilities; and on the second request or if a previous successful HTTP/2 session is still in cache HTTP/2 traffic is started by sending a HTTP/1.1 Upgrade request which is responded with a HTTP/2 response. > > This non-symmetric behavior would throw off some of that MITM attempt (as an unwanted HTTP/1.1 response to this particular request is ignored.) > No it won't. Google tried that style of upgrade with QUIC. Which forced me to do this a short while ago: <http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13193.patch> Note that the change was done to fix *security vulnerabilities* affecting even regular benevolent existing HTTP proxies. These occur regardless of how secure QUIC itself might be. Alt-Svc draft is struggling with the same class of issues. Any proxy (MITM or not) which is erasing the client signals (Upgrade or HTTP2-Settings headers) is just as likely to erase server signals with more actual need to do so. Amos
Received on Wednesday, 1 April 2015 01:41:36 UTC