Re: [apps-discuss] Fwd: Last Call: draft-hammer-hostmeta (Web Host

[Martin Rex]

Aaron Stone wrote:
 
 Additionally, the requirements to first check via HTTPS, then via
 HTTP, and the requirements for identical contents, are not
 requirements imposed by RFC 5785 -- though 5785 allows that a
 registration ... MAY also contain additional information, ... or
 protocol-specific details. A reference to that text might be useful
 to remind an implementer that other well-known URIs may have different
 protocol-specific requirements.

You've found a very serious problem with this document.

The assumption that when a Web-Server is accessible by HTTP on port 80
on some host, then a HTTPS-Server on port 443 will provide access
to the same Web-Server by HTTPS is seriously flawed. 

In the survey here
http://www.esecurityplanet.com/features/article.php/3890171/SSL-Certificates-In-Use-Today-Arent-All-Valid.htm

a simple DNS scan for webservers found 92 million domain names (out of 119)
to host a Web-Server on port 80.  34 (of the 92) millions had an
HTTPS-Server running on port 443 as well.

When performing an SSL-Handshakes on port 443 of these 34 millions
(TLS client without server name indication (TLS Extension SNI)),
only 3.17 percent of these Servers presented a server certificate
matching the hostname used by the client to open the network connection.


In essence this means the recommendation to first try HTTPS, then
HTTP is going to result in ~99% failures to successfully
access the correct Web-Server, and is therefore a _very_ impractical
guidance for an RFC for the real world internet.


Regards,
-Martin
___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

Re: [apps-discuss] Fwd: Last Call: draft-hammer-hostmeta (Web Host Metadata) to Proposed Standard

[Aaron Stone]

In Section 2 of draft-hammer-hostmeta-13, the spec directs a client to
make HTTP and HTTPS connections to ports 80 and 443, respectively. The
spec ought not refer to specific port numbers in normative text, but
rather the well-known HTTP and HTTPS ports -- if at all. Note that RFC
5785 (Well-Known URIs) does not refer to port numbers.

Additionally, the requirements to first check via HTTPS, then via
HTTP, and the requirements for identical contents, are not
requirements imposed by RFC 5785 -- though 5785 allows that a
registration ... MAY also contain additional information, ... or
protocol-specific details. A reference to that text might be useful
to remind an implementer that other well-known URIs may have different
protocol-specific requirements.

Cheers,
Aaron


On Thu, Jul 1, 2010 at 9:17 AM, Peter Saint-Andre stpe...@stpeter.im wrote:
 FYI.

  Original Message 
 Subject: Last Call: draft-hammer-hostmeta (Web Host Metadata) to
 Proposed        Standard
 Date: Fri, 25 Jun 2010 05:30:41 -0700 (PDT)
 From: The IESG iesg-secret...@ietf.org
 Reply-To: ietf@ietf.org
 To: IETF-Announce ietf-annou...@ietf.org

 The IESG has received a request from an individual submitter to consider
 the following document:

 - 'Web Host Metadata '
   draft-hammer-hostmeta-13.txt as a Proposed Standard

 The IESG plans to make a decision in the next few weeks, and solicits
 final comments on this action.  Please send substantive comments to the
 ietf@ietf.org mailing lists by 2010-07-23. Exceptionally,
 comments may be sent to i...@ietf.org instead. In either case, please
 retain the beginning of the Subject line to allow automated sorting.

 The file can be obtained via
 http://www.ietf.org/internet-drafts/draft-hammer-hostmeta-13.txt


 IESG discussion can be tracked via
 https://datatracker.ietf.org/public/pidtracker.cgi?command=view_iddTag=19329rfc_flag=0

 ___
 IETF-Announce mailing list
 ietf-annou...@ietf.org
 https://www.ietf.org/mailman/listinfo/ietf-announce


 ___
 apps-discuss mailing list
 apps-disc...@ietf.org
 https://www.ietf.org/mailman/listinfo/apps-discuss


___
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf