- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Thu, 6 Oct 2016 11:35:09 +1100
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Patrick McManus <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
I'll try, but it might be ELI15... On 6 October 2016 at 04:28, Mike Bishop <Michael.Bishop@microsoft.com> wrote: > Basically, we've simplified this greatly, and I like that. But we've simplified it so much that I'm no longer clear what problem we have left to solve. Can someone ELI5? A client learns that a server has a "secure" alternative. This implies that clients can send "not-secure" requests to a "secure" server. The client wants to know that this alternative understands what it means when it sends a "not-secure" request to that server. This is because some "secure" servers can be confused by a "not-secure" request. They might think that it is "secure" and do the wrong thing. We need to find a way to ask the "secure" server if it is OK with getting "not-secure" requests. > - This host is authorized to serve the content for http://example.com? That's RFC 7838 -- we're done. I wish. > - This host can serve the content for http://example.com and is smart enough not to get confused when scheme and port don't match? Again, that's RFC 7838 ("mitigate ... by refraining from advertising alternative services for insecure schemes."). But if you want to enable clients to double-check the origin administrators, let the alternative declare that it's scheme-aware, whether by existence of a .w-k resource or a connection setting. It's hard to know whether a server is confused just by making regular requests. > - This host can serve content for both http://example.com *and* https://example.com *and* http://other.example.com on the same connection without confusing them all? That seems to be implied by the previous one. I think that Kari was hinting at a problem where a load balancer terminates TLS and then routes based on the Host header alone. The back-end servers aren't all equally capable of distinguishing between "secure" and "not-secure". That suggests to me that you probably want proof positive for all origins separately, as we discussed. > - This host *consents* to serve http://example.com? Seems implicit in responding to requests. What does anyone gain by checking before sending requests versus trying the requests and maybe getting 421s? See above regarding confusion. Just providing a response isn't enough. --- Here's my concrete proposal (as I made earlier): """ Before using a secure alternative for an http:// origin, a client MUST first request /.well-known/http-opportunistic at that origin. If this resource exists and a not-stale 2xx response is obtained, then requests for the origin MAY be directed toward the secure alternative. The contents of this resource do not matter. If multiple http:// origins are coalesced onto the same connection to a secure alternative, a client MUST obtain an http-opportunistic resource from each origin separately. """ You might insist on greater proof here (a Content-Location header field would be stronger proof, or you could mandate some format for the response body), but I don't believe that to be necessary. Once the http-opportunistic resource exists, then we have proof that the server has opted in. This does mean that in co-hosted situations an audit is recommended to ensure that there are no resources for which there are a) necessary variations between https:// and http:// resources on the same path and b) confusion might be possible. The server operator then needs to choose whether to disable http-opportunistic just on the affected origins or to disable the feature entirely.
Received on Thursday, 6 October 2016 00:35:39 UTC