- From: Watson Ladd <watson@cloudflare.com>
- Date: Fri, 14 Jul 2017 09:32:21 -0700
- To: Ryan Hamilton <rch@google.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Piotr Sikora <piotrsikora@google.com>
Received on Friday, 14 July 2017 16:32:49 UTC
On Fri, Jul 14, 2017 at 6:18 AM, Ryan Hamilton <rch@google.com> wrote: > Howdy Folks, > > I've been talking with Chrome security folks about the issue of skipping > DNS resolutions when using an existing HTTP/2 connection for a new origin > announced via an ORIGIN frame. It is crystal clear that saving DNS > resolutions represents a real performance win, especially for long-tail > users. > > However, we are not comfortable with the increased ability of an off-path > attacker to exploit a mis-issued certificate. A DNS resolution is not the > strongest security assertion in the world, but it's definitely something. > > Before trusting a certificate for a connection, we'd like an assertion > from some other trusted source. This could be: > * On-path presence, for example DNS resolution, or proxy configuration > * A previous assertion from the origin itself (Alt-Svc) > * CT logs, etc. > Without such an assertion, we're not comfortable trusting the connection > and plan to continue consulting DNS when making use of the ORIGIN frame in > Chrome. > I'm a little confused by what this means: Is this for ORIGIN frame or ORIGIN+CERTIFICATE? In the case of ORIGIN alone would this mean that a multi-SAN cert logged in CT will be trusted, but not one not logged? Sincerely, Watson > > Cheers, > > Ryan >
Received on Friday, 14 July 2017 16:32:49 UTC