- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 18 Jun 2015 10:06:47 -0700
- To: Stefan Eissing <stefan.eissing@greenbytes.de>
- Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, HTTP Working Group <ietf-http-wg@w3.org>
On 18 June 2015 at 01:26, Stefan Eissing <stefan.eissing@greenbytes.de> wrote: > I think, as a consequence, I need to disable the Alt-Svc support for http: in mod_h2, since scheme information is not available to others living inside Apache httpd and the described http/1.1 exploit will work exactly the same with h2 involved. It depends on how Apache reports things as being "https" or not. If you can avoid generating those signals or suppress them, then it should be OK. We can certainly improve the text. Here's what I have: Some HTTP/1.1 implementations use ambient signals to determine if a request is for an `https` resource. For example, implementations might look for TLS on the stack or a port number of 443. An implementation that supports opportunistically secured requests SHOULD suppress these signals if there is any potential for confusion.
Received on Thursday, 18 June 2015 17:07:15 UTC