IETF Logo Mail Archive

Re: comprehensive TLS is not the solution, it's a bug ... (was 2 questions)

ChanMaxthon <xcvista@me.com> Tue, 31 March 2015 22:08 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97F851ACE2A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 31 Mar 2015 15:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVwhzSEbwzuA for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 31 Mar 2015 15:08:35 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C2451ACD7E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 31 Mar 2015 15:08:35 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Yd4HM-000799-PV for ietf-http-wg-dist@listhub.w3.org; Tue, 31 Mar 2015 22:05:00 +0000
Resent-Date: Tue, 31 Mar 2015 22:05:00 +0000
Resent-Message-Id: <E1Yd4HM-000799-PV@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <xcvista@me.com>) id 1Yd4HE-00078S-Mp for ietf-http-wg@listhub.w3.org; Tue, 31 Mar 2015 22:04:52 +0000
Received: from nk11p03mm-asmtpout002.mac.com ([17.158.232.237] helo=nk11p03mm-asmtp002.mac.com) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <xcvista@me.com>) id 1Yd4HD-0006Ga-8n for ietf-http-wg@w3.org; Tue, 31 Mar 2015 22:04:52 +0000
Received: from [10.22.49.2] (unknown [69.163.40.80]) by nk11p03mm-asmtp002.mac.com (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Dec 4 2014)) with ESMTPSA id <0NM300K54JYGSV30@nk11p03mm-asmtp002.mac.com> for ietf-http-wg@w3.org; Tue, 31 Mar 2015 22:03:55 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.33,0.0.0000 definitions=2015-03-31_06:2015-03-31,2015-03-31,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1412110000 definitions=main-1503310188
Content-type: multipart/alternative; boundary="Apple-Mail-38BA695A-13F0-4686-97DD-7DE10FC4EFB2"
MIME-version: 1.0 (1.0)
From: ChanMaxthon <xcvista@me.com>
X-Mailer: iPhone Mail (12F61)
In-reply-to: <BL2PR03MB132223D60CD0113036E27A287F40@BL2PR03MB132.namprd03.prod.outlook.com>
Date: Wed, 01 Apr 2015 06:03:51 +0800
Cc: Matthew Kerwin <matthew@kerwin.net.au>, "Walter H." <Walter.H@mathemainzel.info>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-transfer-encoding: 7bit
Message-id: <7C5D147F-FFD0-4B55-95AF-2A513D5D5C56@me.com>
References: <5517E353.2070800@mathemainzel.info> <BL2PR03MB1321B441AC87F64CA1536BB87F50@BL2PR03MB132.namprd03.prod.outlook.com> <-2692015409415017710@unknownmsgid> <CAN5uf-Sxe4RWLb71-vWZvm0TVYMENK=4B+Awfz4c5NUAOEesaQ@mail.gmail.com> <880c6444186187addd3b67cc91230de4.1427779814@squirrel.mail> <551A62B7.5080100@treenet.co.nz> <6c1ec434cd6ee6344d0e2698441effa3.1427793164@squirrel.mail> <551A8334.2030504@treenet.co.nz> <20150331114724.GB7183@1wt.eu> <551AE6F9.7080002@mathemainzel.info> <20150331182822.GG7183@1wt.eu> <9D3FDA54-740F-487D-A316-D8C9A75CD9FB@me.com> <551AED98.7070601@mathemainzel.info> <DE153F85-6CE9-479F-B2CA-97B487990367@me.com> <CACweHNAqEkbgcOgtiq_V7oqWK6aQ6Fsb9VF++qZF0BAfo9vZbA@mail.gmail.com> <BL2PR03MB132223D60CD0113036E27A287F40@BL2PR03MB132.namprd03.prod.outlook.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
Received-SPF: pass client-ip=17.158.232.237; envelope-from=xcvista@me.com; helo=nk11p03mm-asmtp002.mac.com
X-W3C-Hub-Spam-Status: No, score=-6.2
X-W3C-Hub-Spam-Report: AWL=-0.001, BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1Yd4HD-0006Ga-8n afadda81c75bc74989ad0841600584d3
X-Original-To: ietf-http-wg@w3.org
Subject: Re: comprehensive TLS is not the solution, it's a bug ... (was 2 questions)
Archived-At: <http://www.w3.org/mid/7C5D147F-FFD0-4B55-95AF-2A513D5D5C56@me.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29146
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Maybe I missed out that and abused Server header, but the gist is still there: in the first request if cached information is not available, which is plain HTTP/1.1, the server advertises its availability of HTTP/2 capabilities; and on the second request or if a previous successful HTTP/2 session is still in cache HTTP/2 traffic is started by sending a HTTP/1.1 Upgrade request which is responded with a HTTP/2 response.

This non-symmetric behavior would throw off some of that MITM attempt (as an unwanted HTTP/1.1 response to this particular request is ignored.)

Sent from my iPhone

> On Apr 1, 2015, at 05:49, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
> 
> The fact that one major Internet company has a bad habit of returning 400 when they see Upgrade: Anything-other-than-WebSockets on a request.
>  
> But that’s a server bug, and we shouldn’t mandate protocol behavior to work around a single implementation’s bug – all the necessary pieces are already in HTTP/1.1.  You don’t need to abuse the Host header – the Upgrade header in a response is already defined to mean exactly that.  It’s a hint of protocols the server would be willing to upgrade to, if the client supports it.  A cautious client can wait for the server to advertise willingness to upgrade, then actually perform the upgrade on the next request.  (And presumably cache the fact for future savings of the RTT.)
>  
> From: phluid61@gmail.com [mailto:phluid61@gmail.com] On Behalf Of Matthew Kerwin
> Sent: Tuesday, March 31, 2015 2:17 PM
> To: Maxthon Chan
> Cc: Walter H.; ietf-http-wg@w3.org
> Subject: Re: comprehensive TLS is not the solution, it's a bug ... (was 2 questions)
>  
> On 1 April 2015 at 05:11, Maxthon Chan <xcvista@me.com> wrote:
> Sorry for my not being aware of that as I am new to this list.
> ​
> ​
>  
> ​
> ​
>  
> ​The archives are at https://lists.w3.org/Archives/Public/ietf-http-wg/
>  
> A lot of ground has been covered there.​
>  
>  
> ​
>  
> ​​
> Any form of HTTP/1.1-based HTTP/2 protocol negotiation must allow a client to ignore hints of HTTP/2 availability and keep speaking HTTP/1.1.
> 
> How about this two-request protocol negotiation:
> 
> The first request is normal HTTP/1.1, and the server announces its HTTP/2 availability by including the string “HTTP/2” at the end of its Server header. This hint will be blissfully ignored by all older browsers that does not support HTTP/2, but it will be picked up by browsers supporting it.
> 
> The second request starts off with a HTTP/1.1 protocol upgrade to HTTP/2 and the server responds to the HTTP/1.1 protocol upgrade request with a HTTP/2 response, which will break non-HTTP/2 browsers (which is intentional here)
> 
> The browser can cache the HTTP/2 availability and all further communication, even a new session, can start with a HTTP/1.1 protocol upgrade and then full-blown HTTP/2 traffic.
>  
>  
> ​How is that any better than the client just sending Upgrade:h2c (or h2) with the first request?​
> 
>  
> --
>   Matthew Kerwin
>   http://matthew.kerwin.net.au/

v2.30.2 | Report a Bug | By Email | System Status