Skipping DNS resolutions with ORIGIN frame

Howdy Folks,

I've been talking with Chrome security folks about the issue of skipping
DNS resolutions when using an existing HTTP/2 connection for a new origin
announced via an ORIGIN frame. It is crystal clear that saving DNS
resolutions represents a real performance win, especially for long-tail

However, we are not comfortable with the increased ability of an off-path
attacker to exploit a mis-issued certificate. A DNS resolution is not the
strongest security assertion in the world, but it's definitely something.

Before trusting a certificate for a connection, we'd like an assertion from
some other trusted source. This could be:
* On-path presence, for example DNS resolution, or proxy configuration
* A previous assertion from the origin itself (Alt-Svc)
* CT logs, etc.
Without such an assertion, we're not comfortable trusting the connection
and plan to continue consulting DNS when making use of the ORIGIN frame in



Received on Friday, 14 July 2017 13:19:05 UTC