W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Comments about draft-ietf-httpbis-http2-16 : Connection reuse

From: Ryan Hamilton <rch@google.com>
Date: Sun, 4 Jan 2015 15:53:42 -0800
Message-ID: <CAJ_4DfSSuux=avaRMiVZggRjLTQfAnL+AySvvALRpJXEu-JN7Q@mail.gmail.com>
To: Aeris <aeris@imirhil.fr>
Cc: Martin Thomson <martin.thomson@gmail.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Patrick McManus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Sun, Jan 4, 2015 at 11:29 AM, Aeris <aeris@imirhil.fr> wrote:

> But on our way, I sense connection reuse can ease MITM or downgrade attack.
> You « just » have to poison the DNS to match the target IP and send a A
> content with weak TLS parameters and request targeted content B from A to
> force TLS parameters to what you want for the B content fetching.
>

In your example, host A has a valid certificate for host B, but is
configured to have weaker security configuration than host B. Is that
right? If so, then your DNS poisoning attack works just fine with HTTP/1.1,
so HTTP/2 does not make it worse.
Received on Sunday, 4 January 2015 23:54:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:42 UTC