constraining scheme (http vs https) on a connection
Erik Nygren <erik@nygren.org> Fri, 20 May 2016 19:45 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B68612D61C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 May 2016 12:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.346
X-Spam-Level:
X-Spam-Status: No, score=-8.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQYJF8FHdvbZ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 May 2016 12:45:23 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5488712D61E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 20 May 2016 12:45:20 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1b3qHw-0007rE-RJ for ietf-http-wg-dist@listhub.w3.org; Fri, 20 May 2016 19:40:48 +0000
Resent-Date: Fri, 20 May 2016 19:40:48 +0000
Resent-Message-Id: <E1b3qHw-0007rE-RJ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <nygren@gmail.com>) id 1b3qHn-0007qO-VT for ietf-http-wg@listhub.w3.org; Fri, 20 May 2016 19:40:40 +0000
Received: from mail-ig0-f182.google.com ([209.85.213.182]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <nygren@gmail.com>) id 1b3qHm-0001tK-B5 for ietf-http-wg@w3.org; Fri, 20 May 2016 19:40:39 +0000
Received: by mail-ig0-f182.google.com with SMTP id vs11so26667608igb.1 for <ietf-http-wg@w3.org>; Fri, 20 May 2016 12:40:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to; bh=QAlzFOxOlOir8qz20SU7eTF2GLzpIMGyuBPnXU6Ejy8=; b=e/OP4ic5I5S9Eiwa6uvveAFMZsKhKOYEcU1fo/184PpsIPXGJxjoA+bdIoH4iukAdN WYo2kFqTJwpcF7HxFJjY08u0sQiSsdZ+IoYMagqd5fl/4J0fhfefPzZHLyomEUI/Z6fY oWBIZK6SHUnxtdRBQmYFHT+vXp477P0Ua73RXWDHW3aaq7visXNiUzROQUCr6hei+tsK dzhiJ7e+xF5WlQURTQpamVq0Xsv6CeLdrXkW5I+OVd8OkMneMEt8d3+qbbItqp2t41Lt zbotYNUQmIcEgpyO/8ONCdXTQtSR7Ny0eR4JxIhmeEdNID4oiCMBgZqH0ubcbK2Lf5aE blBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to; bh=QAlzFOxOlOir8qz20SU7eTF2GLzpIMGyuBPnXU6Ejy8=; b=joJbJlGGz9g+TpTk5eOQObCyi2E5INu27Fs5qFvlboYkGBEDBNWyzQo+QaA5dVTSq3 q34xFAOBqbqPJh/F12PABZJDhaaTm1dkSEXvimP/85vGxfj28NsZJQaMBfTui8eUeVLs 7spVGN05zusYB0X0aJX9zae/KUgtQDivdcHYFmi0FYEFxuU07BiMIS8gyBndH62cnoZO Id+uAvf6pMkT7D3kRtinwnZjMjWmWTpusTZds1bsF97/Ue7TnahBJsI2YrrmEr2b0WC5 FuqDr40ymgdbuHkJVePOr8i8ZGkJnS2vseaqPykDC9+H5uarPQSimY6ngk9IkhyY8+16 dp3Q==
X-Gm-Message-State: AOPr4FV+x8LDZ7mi+QCoQ+FZbiYhfWPvZwXhbfkQSO33PRNaIgwWZcxRCqte5Zc7dR76WLQGy9Fq10cCN5lM0Q==
MIME-Version: 1.0
X-Received: by 10.50.164.226 with SMTP id yt2mr4432521igb.66.1463773212367; Fri, 20 May 2016 12:40:12 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.107.200.81 with HTTP; Fri, 20 May 2016 12:40:12 -0700 (PDT)
Date: Fri, 20 May 2016 15:40:12 -0400
X-Google-Sender-Auth: 5bGK_G_sQ2t7yy_2Knz9nbhIVdA
Message-ID: <CAKC-DJivd-h_H-oOznjTN8=so2zQOhbwuWFkD9hpgvLTqs-WnA@mail.gmail.com>
From: Erik Nygren <erik@nygren.org>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="089e013c6d185aedff05334b4200"
Received-SPF: pass client-ip=209.85.213.182; envelope-from=nygren@gmail.com; helo=mail-ig0-f182.google.com
X-W3C-Hub-Spam-Status: No, score=-5.3
X-W3C-Hub-Spam-Report: AWL=-0.679, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1b3qHm-0001tK-B5 5debd46c9dbd26b5b4a8d8fcf1fa22b6
X-Original-To: ietf-http-wg@w3.org
Subject: constraining scheme (http vs https) on a connection
Archived-At: <http://www.w3.org/mid/CAKC-DJivd-h_H-oOznjTN8=so2zQOhbwuWFkD9hpgvLTqs-WnA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31648
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
In some recent discussions, it has come up that we don't clearly specify whether multiple schemes (eg, http and https) can share a single connection. For example, if www.example.com has a valid certificate for www.example.com then by the reading of rfc7540 a client could potentially use a single connection for http://www.example.com/ and https://www.example.com/ By the reading of rfc7540, it also seems like if www.evil.com resolves to the same IP address as www.example.com (which www.example.com has no control over) a client might be willing/able to send requests over the www.example.com connection? This seems like it has the potential for confusion. For example, if www.example.com is using client cert auth. Or if a server is distinguishing HTTP vs HTTPS based on port number as described as a risk in draft-ietf-httpbis-http2-encryption and discussed here. There also seem like some potential attacks that become easier if a client is making HTTP requests over HTTP/2 sharing a connection with HTTPS. (For example, side-channel attacks between HTTP and HTTPS seem easy here, and there might be some compression based attacks.) Am I alone in thinking this connection sharing (which servers can't really control today outside of returning a 421 for HTTP-scheme requests) is a bad idea? Some things seem worth considering here: * The ORIGIN frame helps here as an origin can list only supporting the " https://www.example.com" origin. * We likely want to have draft-ietf-httpbis-http2-encryption prohibit sharing requests for secure and non-secure schemes over a single connection, even if authenticated. Is there any other guidance we should be proposing on this front? For example, to discourage clients from doing this sharing and to encourage servers to return 421 if they see mixed schemes on a connection? Best, Erik
- constraining scheme (http vs https) on a connecti… Erik Nygren
- Re: constraining scheme (http vs https) on a conn… Mark Nottingham
- Re: constraining scheme (http vs https) on a conn… Erik Nygren
- Re: constraining scheme (http vs https) on a conn… Mark Nottingham
- Re: constraining scheme (http vs https) on a conn… Martin Thomson
- Re: constraining scheme (http vs https) on a conn… Erik Nygren
- Re: constraining scheme (http vs https) on a conn… Mark Nottingham
- Re: constraining scheme (http vs https) on a conn… Erik Nygren