- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 8 Jun 2015 20:54:26 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 8 June 2015 at 17:51, Mark Nottingham <mnot@mnot.net> wrote: > It *would* help against an attack whereby someone can inject HTTP response headers, and they want to attack a service that they don't control. This is already something we consider either a) safe, or b) a lost cause. Cross protocol attacks using HTTP are already trivially mounted for requests that only use safe methods and header fields, such as form submissions. I believe that the assumption is that HTTP is well-enough known and unlikely to create a sequence of packets that would cause bad things to happen. However, this potentially increases that surface area by allowing same-origin requests, with the additional control that implies. I'm not especially concerned by that though: and I'm not concerned about h1 as much as I am with unsecured protocols. ALPN in TLS provides a pretty strong assurance that the server knows what it is doing. Unsecured HTTP/1.1 might be exploitable if you have a particularly stupid service...maybe.
Received on Tuesday, 9 June 2015 03:54:54 UTC