Date:  09 Jun 2016 18:44:45 Hong Kong Time

Re: FireFox re-using HTTP2 connection to a wrong IP address & MITM attacks.

NNTP-Posting-Host:  2a01:ad00:3:1:a476:dff6:df13:89af

> As you know, but not everybody reading this email might be up to speed with, 
> Firefox does this to keep the number of TCP connections to a minimum when it 
> speaks HTTP/2. "unsharding" as we sometimes call it! =)
> They both have a cert that covers both hosts and they both share at least one 
> IP address. And they speak HTTP/2, so in the rare occasion that this would be 
> a wrong assumption the server can return 421.

Excellent, then please make it to behave exactly the same way with IPv4 only addresses.  Why FF not following the same logic if all IP's are strictly IPv4  ?

Also, let's add to RFC then that all servers must reply with 421 for domains that are not served as FireFox may decide to contact the server regardless of IP addresses returned by DNS. Next step will be enforcing the whole world to implement it.

In a real life, both hosts can be administered by different people / legal entities, even if they are sharing the same parent domain.

You can't say that correct functionality of host_2  depends of what 3rd party (administrator of host_1) configured on his server ?

And if you are right and this behaviour is on compliance with RFC, then why FF is the ONLY browser behaving that way ?