Re: Skipping DNS resolutions with ORIGIN frame

On Fri, Jul 14, 2017 at 6:18 AM, Ryan Hamilton <> wrote:

> Howdy Folks,
> I've been talking with Chrome security folks about the issue of skipping
> DNS resolutions when using an existing HTTP/2 connection for a new origin
> announced via an ORIGIN frame. It is crystal clear that saving DNS
> resolutions represents a real performance win, especially for long-tail
> users.
> However, we are not comfortable with the increased ability of an off-path
> attacker to exploit a mis-issued certificate. A DNS resolution is not the
> strongest security assertion in the world, but it's definitely something.
> Before trusting a certificate for a connection, we'd like an assertion
> from some other trusted source. This could be:
> * On-path presence, for example DNS resolution, or proxy configuration
> * A previous assertion from the origin itself (Alt-Svc)
> * CT logs, etc.
> Without such an assertion, we're not comfortable trusting the connection
> and plan to continue consulting DNS when making use of the ORIGIN frame in
> Chrome.

I'm a little confused by what this means: Is this for ORIGIN frame or
ORIGIN+CERTIFICATE? In the case of ORIGIN alone would this mean that a
multi-SAN cert logged in CT will be trusted, but not one not logged?


> Cheers,
> Ryan

Received on Friday, 14 July 2017 16:32:49 UTC