6

HTTP/2's opportunistic encryption of http URIs using TLS appears to allow the possibility of man-in-the-middle attacks. Is that true?

RFC for opportunistic encryption.

Here's HTTP/2's spec for opportunistic encryption.

Improve this question

1 Answer 1

Reset to default
6

Opportunistic encryption assumes only a passive attacker (i.e. sniffing only) and thus of course makes man-in-the-middle attacks by an active attacker (which can modify the connection) possible. This is not restricted to HTTP/2 but a general limitation of opportunistic encryption. See also Wikipedia about this topic.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.