It appears that Martin Thomson <m...@lowentropy.net> said: >There is a piece missing. Yaron mentioned Alpaca. For that what we need to say >is what Alexey might fear: application protocols >MUST define ALPN labels and use them.
Well, you know, ALPACA is the predictable result of three decades of web browsers accepting any crud from broken web servers and trying to guess what it was supposed to mean. It'd be more effective to say that browsers MUST send ALPNs and MUST NOT accept responses that don't send an expected ALPN back. That's seems more likely to happen as people implement http/2 than that mail and IMAP and FTP servers that don't care about ALPNs will add them to defend against attacks that don't affect them. I made my mail servers a lot less useful for that particular hack by adjusting them to drop the connection after any bad command since real mail clients never send bad commands. (They weren't useful for ALPACA anyway since I don't run mail and web servers with the same domain name but it's the thought that counts.) R's, John _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
