IETF Logo Mail Archive

Re: AD review of draft-ietf-httpbis-alt-svc-10

Mark Nottingham <mnot@mnot.net> Thu, 04 February 2016 00:50 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7187A1B379F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 3 Feb 2016 16:50:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y6ui0eW0U3Yi for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 3 Feb 2016 16:50:19 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 509CD1B3798 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 3 Feb 2016 16:50:18 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aR83p-0003pC-07 for ietf-http-wg-dist@listhub.w3.org; Thu, 04 Feb 2016 00:46:13 +0000
Resent-Date: Thu, 04 Feb 2016 00:46:12 +0000
Resent-Message-Id: <E1aR83p-0003pC-07@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1aR83h-0003oH-NN for ietf-http-wg@listhub.w3.org; Thu, 04 Feb 2016 00:46:05 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1aR83e-0001eU-1Q for ietf-http-wg@w3.org; Thu, 04 Feb 2016 00:46:04 +0000
Received: from [192.168.1.101] (unknown [120.149.194.112]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 6299622E271; Wed, 3 Feb 2016 19:45:34 -0500 (EST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <56B1FCD5.2060500@gmx.de>
Date: Thu, 04 Feb 2016 11:45:31 +1100
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Mike Bishop <Michael.Bishop@microsoft.com>, Barry Leiba <barryleiba@computer.org>, "draft-ietf-httpbis-alt-svc@ietf.org" <draft-ietf-httpbis-alt-svc@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DF5ACE2B-FAD4-4B43-B140-B0939641C67D@mnot.net>
References: <CALaySJK5fYy_JCv0Y7Fs3QpPk95fUxyt272JMc-QUpVKO7_gJA@mail.gmail.com> <56853BCC.7030005@gmx.de> <56927D52.2000106@gmx.de> <CALaySJ+mVOHinmehK2jm3jQaEkXJZ2BRbaY4a5wuw=eOOO-A9Q@mail.gmail.com> <BN3PR03MB13675838E560ED08916D245187C90@BN3PR03MB1367.namprd03.prod.outlook.com> <5693DC2E.7010001@cs.tcd.ie> <569562B6.904@cs.tcd.ie> <BN3PR03MB13677294EE2ABFE14D0A56D087CA0@BN3PR03MB1367.namprd03.prod.outlook.com> <CALaySJ+918e-VO2V6HTK6OnQc0kQrY-YYj=ZToxs3wXxZqjvCg@mail.gmail.com> <56962487.6030709@cs.tcd.ie> <BN3PR03MB1367417E3088E4AD82F9B53887CB0@BN3PR03MB1367.namprd03.prod.outlook.com> <5696A318.4010808@cs.tcd.ie> <312E9853-E205-454C-8A71-487FDF357A8D@mnot.net> <56B1FCD5.2060500@gmx.de>
To: "Julian F. Reschke" <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.2104)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-8.3
X-W3C-Hub-Spam-Report: AWL=1.334, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aR83e-0001eU-1Q b99b47145e4b17a4c70fbf70603fdf95
X-Original-To: ietf-http-wg@w3.org
Subject: Re: AD review of draft-ietf-httpbis-alt-svc-10
Archived-At: <http://www.w3.org/mid/DF5ACE2B-FAD4-4B43-B140-B0939641C67D@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31042
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Merged.


> On 4 Feb 2016, at 12:12 am, Julian Reschke <julian.reschke@gmx.de> wrote:
> 
> On 2016-01-15 04:27, Mark Nottingham wrote:
>> In some side discussions, I've come across other people who are unhappy with this state of affairs, so I don't think you're alone. I'll leave it up to them to decide how to participate here.
>> 
>> To be explicit -- we are opening up a potential same machine attack (specifically, someone on a shared HTTP server who has the ability to both add response headers -- such as with .htaccess or a CGI script -- and listen to another port (possibly, ANY port) on the same box can then hijack traffic intended for other users.
>> 
>> The motivation for doing so is to enable the HTTP Opportunistic Security specification, which offers weak protection against pervasive monitors, but is vulnerable to active attackers, and doesn't improve Web security in other (and important) ways that HTTPS does. We have only one implementation of that specification in a browser, and no sign that it will be adopted by others.
>> 
>> Is this a reasonable tradeoff? We are planning to publish this is Experimental, so the question might also be "is this a responsible experiment to run?"
>> 
>> Cheers,
> 
> I opened <https://github.com/httpwg/http-extensions/issues/139> to track this.
> 
> Best regards, Julian
> 

--
Mark Nottingham   https://www.mnot.net/

v2.39.1 | Report a Bug | By Email | System Status