From:  yurykk@gmail.com
Date:  09 Jun 2016 19:42:05 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.tech.network
Subject:  

Re: FireFox re-using HTTP2 connection to a wrong IP address & MITM attacks.

NNTP-Posting-Host:  2a01:ad00:3:1:a476:dff6:df13:89af

> > Excellent, then please make it to behave exactly the same way with IPv4 only 
> > addresses.  Why FF not following the same logic if all IP's are strictly 
> > IPv4 ?
> 
> It does. Or perhaps I should say it should, if you indeed can reproduce a 
> scenario where it doesn't. IP version is not relevant for this context. IP 
> address overlap is.

    No, it doesn't.    If all 3 IP addresses are v4 addresses, FF is not re-using IP_ADDR_2 in similar scenario.


   Let's look carefully on RFC 7540, Section 9.1.1 (Connection Reuse)

A connection can be reused as long as the origin server
   is authoritative (Section 10.1).  For TCP connections without TLS,
   this depends on the host having resolved to the same IP address.

  Forget about TLS for the moment.   FF will NOT reuse existing connection for regular HTTP connection.   Why ?

  Because it would be wrong behaviour and will definitely lead to very easy MITM attacks, or you think FF _should_ reuse existing connection in this case as well ?


"For "https" resources, connection reuse ADDITIONALLY depends on
   having a certificate that is valid for the host in the URI."


As you may see, RFC clearly states that valid certificate is an ADDITIONAL condition.  In other words, if existing connection CAN be reused for HTTP,  only then you should check for additional requirement - certificate should be valid.

I.e.  There is a chance that connection which is good to be reused for HTTP will not be suitable for HTTPS.   But not the opposite.

In case of FF what happens is exactly the opposite - FF will not reuse the connection for HTTP, but believe it's good for HTTPS.