W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: 2 questions

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 30 Mar 2015 12:56:10 -0500
Message-ID: <CABkgnnVGDLfEzi1Fi=97iM2xGH0R1UQr-SPj73j+S2Yoz_Lo-A@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Cc: Adrien de Croy <adrien@qbik.com>, Cory Benfield <cory@lukasa.co.uk>, Glen <glen.84@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 30 March 2015 at 08:03, Yoav Nir <ynir.ietf@gmail.com> wrote:
> Not quite. ALPN is carefully engineered to play nice with MitM. The MitM that are installed now (and for the last 8 years) will easily strip the ALPN extension and downgrade client and server to HTTP/1.

I'm sure that this statement makes some people very sad.

That said, I can't see how a box that is able to MitM TLS can be
prevented from doing more than ALPN stripping.  If the client trusts
it, then it's got carte blanche access.
Received on Monday, 30 March 2015 17:56:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC