

Certificate verification bypass through the HTTP/2 Alt-Svc header - taylorbuley
https://www.mozilla.org/en-US/security/advisories/mfsa2015-44/

======
Animats
From the RFC: _" In some cases, it is desirable to separate identification and
location in HTTP; keeping the same identifier for a resource, but interacting
with it at a different location on the network."_

Funny how, in the name of "security" or "performance", changes are being made
to HTTP which allow easy, user-invisible redirection to a completely different
site. The EFF's "HTTPS Everywhere" also has a redirection feature, where
regular expressions in files sent from Master Control at the EFF can change a
URL inside a browser.

What could possibly go wrong?

------
TazeTSchnitzel
Wait, but isn't that the whole point? In order to allow opportunistic
encryption, it's supposed to allow self-signed certificates.

I don't get it.

~~~
zurn
It says this enabled impersonation of another site through MITM. So maybe the
bug is that it looks same/too similar in the UI as a normal verified TLS
connection to the victim site.

~~~
TazeTSchnitzel
Ah, okay.

------
MichaelGG
It'll be interesting to see the exact code flaw (the bug appears to be private
at the moment). I'd imagine things like this are just the result of one wrong
if or a variable set at the wrong time.

