Re: Comments about draft-ietf-httpbis-http2-16 : Connection reuse from Ryan Hamilton on 2015-01-04 (ietf-http-wg@w3.org from January to March 2015)

From: Ryan Hamilton <rch@google.com>
Date: Sun, 4 Jan 2015 15:53:42 -0800
To: Aeris <aeris@imirhil.fr>
Cc: Martin Thomson <martin.thomson@gmail.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Patrick McManus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAJ_4DfSSuux=avaRMiVZggRjLTQfAnL+AySvvALRpJXEu-JN7Q@mail.gmail.com>

On Sun, Jan 4, 2015 at 11:29 AM, Aeris <aeris@imirhil.fr> wrote:

> But on our way, I sense connection reuse can ease MITM or downgrade attack.
> You « just » have to poison the DNS to match the target IP and send a A
> content with weak TLS parameters and request targeted content B from A to
> force TLS parameters to what you want for the B content fetching.
>

In your example, host A has a valid certificate for host B, but is
configured to have weaker security configuration than host B. Is that
right? If so, then your DNS poisoning attack works just fine with HTTP/1.1,
so HTTP/2 does not make it worse.

Received on Sunday, 4 January 2015 23:54:09 UTC