Skipping DNS resolutions with ORIGIN frame from Ryan Hamilton on 2017-07-14 (ietf-http-wg@w3.org from July to September 2017)

From: Ryan Hamilton <rch@google.com>
Date: Fri, 14 Jul 2017 06:18:36 -0700
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Cc: Piotr Sikora <piotrsikora@google.com>
Message-ID: <CAJ_4DfRYS8mb4=0LV3=rjw5ZiZ62yMvvHXHNKdDnH=ZCmv7AeA@mail.gmail.com>

Howdy Folks,

I've been talking with Chrome security folks about the issue of skipping
DNS resolutions when using an existing HTTP/2 connection for a new origin
announced via an ORIGIN frame. It is crystal clear that saving DNS
resolutions represents a real performance win, especially for long-tail
users.

However, we are not comfortable with the increased ability of an off-path
attacker to exploit a mis-issued certificate. A DNS resolution is not the
strongest security assertion in the world, but it's definitely something.

Before trusting a certificate for a connection, we'd like an assertion from
some other trusted source. This could be:
* On-path presence, for example DNS resolution, or proxy configuration
* A previous assertion from the origin itself (Alt-Svc)
* CT logs, etc.
Without such an assertion, we're not comfortable trusting the connection
and plan to continue consulting DNS when making use of the ORIGIN frame in
Chrome.

Cheers,

Ryan

Received on Friday, 14 July 2017 13:19:05 UTC