-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Positive indicator of server understanding #12
Comments
I'd been under the assumption that http-scheme-over-TLS would only be allowed over HTTP/2? We should make this crystal clear. For example, if Alt-Svc "h2" is used to move http up to TLS then if the TLS fails to negotiate HTTP/2 then the client must fall-back to HTTP/1.1 over clearntext. Does this cover the issues above here? |
Patrick and I have discussed this before, both on and off list IIRC. Yes, it's a problem for HTTP/1. At a minimum, we need security considerations for this. A mechanism for HTTP/1 would be nice, but I'm not sure it's realistic; we'd need some indication of positive support from the server. |
Discussed in Honolulu; document in security considerations. |
Proposed text? |
There is text in the opp-sec draft that might be used. I see no good reason to create a circular dependency, so maybe just copy (and reword) it. |
@martinthomson can you point @reschke in the right direction? |
http://httpwg.github.io/http-extensions/encryption.html#confusion-regarding-request-scheme
I think that this document can alter the last statement. I can't think of a good way to generically phrase the statement, but maybe:
|
I'm not sure how this can be turned into something useful, but this seems pretty bad:
http
andhttps
equally. Scheme is instead inferred from the presence/absence of TLS in the stack.https
endpoint on that server. This can come from any resource on thehttp
endpoint, so it might not require any MitM attack.http
requests to the secure endpoint and now the content from thehttps
origin is entered into thehttp
origin.Do we want to require an explicit indication from HTTP/1.1 servers so that clients can
be assured that this error did not occur?
This should not be a problem for HTTP/2.
The text was updated successfully, but these errors were encountered: