- From: Adam Roach <adam@nostrum.com>
- Date: Wed, 10 Jan 2018 11:52:12 -0600
- To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Mark Nottingham <mnot@mnot.net>
- Cc: httpbis-chairs@ietf.org, Patrick McManus <mcmanus@ducksong.com>, The IESG <iesg@ietf.org>, draft-ietf-httpbis-origin-frame@ietf.org, ietf-http-wg@w3.org
On 1/10/18 11:47 AM, Adam Roach wrote: > In thinking through the privacy implications you bring up, I noticed > another potentially problematic aspect of ORIGIN that probably needs > treatment in the Security Considerations section. With the ongoing > work to hide SNI from third-party observers [1], OPTIONS may divulge > more information to such a third party than would otherwise be easily > obtainable: if I see you connect to an IP address, I can connect to > the same destination and wait for OPTIONS frames to indicate to me all > of the potential hosts you could be actually looking for. Gah. Of course, I mean "ORIGIN" instead of "OPTIONS" above. /a
Received on Wednesday, 10 January 2018 17:52:48 UTC