Re: Adam Roach's No Objection on draft-ietf-httpbis-origin-frame-04: (with COMMENT)

On 1/10/18 11:47 AM, Adam Roach wrote:
> In thinking through the privacy implications you bring up, I noticed 
> another potentially problematic aspect of ORIGIN that probably needs 
> treatment in the Security Considerations section. With the ongoing 
> work to hide SNI from third-party observers [1], OPTIONS may divulge 
> more information to such a third party than would otherwise be easily 
> obtainable: if I see you connect to an IP address, I can connect to 
> the same destination and wait for OPTIONS frames to indicate to me all 
> of the potential hosts you could be actually looking for. 

Gah. Of course, I mean "ORIGIN" instead of "OPTIONS" above.


Received on Wednesday, 10 January 2018 17:52:48 UTC