On Thu, 9 Jun 2016, [email protected] wrote:
Forget about TLS for the moment. FF will NOT reuse existing connection for
regular HTTP connection. Why ?
A) Because Firefox doesn't do HTTP/2 at all without TLS
B) Without TLS there's no certificate that provides that extra hint so it
gives the browser less confidence. But really, see (A).
Because it would be wrong behaviour and will definitely lead to very easy
MITM attacks,
HTTP (*not HTTPS*) isn't exactly known for being effective againts MITM
attacks!
As you may see, RFC clearly states that valid certificate is an ADDITIONAL
condition. In other words, if existing connection CAN be reused for HTTP,
only then you should check for additional requirement - certificate should
be valid.
So you're now arguing that if a browser would speak HTTP/2 over plain TCP you
think it should reuse connections for this setup even when there's no certs
involved?
That seems like a side track we don't need to take right now. Let's instead
focus on what we think Firefox should and shouldn't do.
In case of FF what happens is exactly the opposite - FF will not reuse the
connection for HTTP, but believe it's good for HTTPS.
Firefox speaks HTTP/1.1 over TCP and HTTP/2 over HTTPS, that's the bigger and
important diference here.
I think we're mostly moving in circles. You think Firefox acts wrongly, and
I've tried to explain the reasoning behind its behaviors. I think Firefox
follows the spec both as written as well as in spirit.
I've not seen you explain how this causes actual real-life problems (in a
scenario where you don't install a malicous party's CA cert yourself). Can you
help me understand?
--
/ daniel.haxx.se
_______________________________________________
dev-tech-network mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-network
