Re: [hybi] Websocket: two protocols into one, and Internet rules broken
Anthony Catel <a.catel@weelya.com> Thu, 16 June 2011 14:21 UTC
Return-Path: <a.catel@weelya.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5AE411E80D7 for <hybi@ietfa.amsl.com>; Thu, 16 Jun 2011 07:21:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JGLyTSatM1dm for <hybi@ietfa.amsl.com>; Thu, 16 Jun 2011 07:21:51 -0700 (PDT)
Received: from hermes.weelya.com (hermes.weelya.com [91.121.5.68]) by ietfa.amsl.com (Postfix) with ESMTP id 23D6911E8084 for <hybi@ietf.org>; Thu, 16 Jun 2011 07:21:50 -0700 (PDT)
Received: from [192.168.1.239] (g231204086.adsl.alicedsl.de [92.231.204.86]) by hermes.weelya.com (Postfix) with ESMTPSA id BAD0A4B00B; Thu, 16 Jun 2011 16:27:04 +0200 (CEST)
Message-ID: <4DFA1173.9050509@weelya.com>
Date: Thu, 16 Jun 2011 16:21:39 +0200
From: Anthony Catel <a.catel@weelya.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: Iñaki Baz Castillo <ibc@aliax.net>
References: <BANLkTim4pKwx6wYC3WwXFWET+gx0bnjigQ@mail.gmail.com> <4DFA08A5.3010608@weelya.com> <BANLkTi=JGeFmkYcwqQJ_xe=3CGrXwHxHPg@mail.gmail.com>
In-Reply-To: <BANLkTi=JGeFmkYcwqQJ_xe=3CGrXwHxHPg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi@ietf.org
Subject: Re: [hybi] Websocket: two protocols into one, and Internet rules broken
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2011 14:21:51 -0000
>>> Now let's imagine we want web browsers to become real SIP or XMPP >>> clients (I don't mean SIP or XMPP over WebSocket). Do you expect that >>> the browser will first open a TCP connection, then send an HTTP >>> "handshake" and then switch same TCP stream to speak SIP or XMPP? and >>> all this stuff just because "HTTP is the only protocol in the world"? >> Ok, but how do you handle origin security? By writting a SIP extension? And >> thus for every new protocol you want to handle? > Security would be handled at SIP or XMPP level. I dont' understand the > problem. If a web browser becomes a real SIP or XMPP client it could > handle authentication as stated for SIP/XMPP and prompt the human user > when required (as when a web server replies 401). I mean, it the browser can open a "raw" TCP connection and implement any kind of protocol. This must lead to a prompt "Do you allow your browser to open a connection to xxxx:xxx?" which I think it's not suitable for user experience. >> Browsers were designed to speak HTTP. IMHO, if you break this rule, it >> leaves the doors wide open to any kind of crazy stuff. > Web-browsers must also speak DNS protocol (directly or indirectly, it > does not matter). If a new protocol is standarized for web browsers, > which is the problem? what about Flash or Java applets? they can open > TCP/UDP connections from the webbrowser to make usage of any other > protocol. Is it a risk? of course, so let's do standards and mandate > security mechanims. But that has nothing to do with "just use HTTP". No that's not true. For instance flash use HTTP to ask for a "crossdomain.xml" > Note that web browsers were originally designed to speak HTTP and > render HTML pages. But now everybody wants IM, video, audio and > whatever through a web browser. There is no need to implement all > these new requeriments on top of HTTP. Maybe HTTP is not a good > protocol for that! there are other protocols. > > Also, take into account that, after the handshake WebSocket is no > longer HTTP, so it *is* a different protocol. It doesn't matter what > browsers were originally designed to. > > Maybe but intermediate think it's HTTP :)
- Re: [hybi] Websocket: two protocols into one, and… Anthony Catel
- [hybi] Websocket: two protocols into one, and Int… Iñaki Baz Castillo
- Re: [hybi] Websocket: two protocols into one, and… Iñaki Baz Castillo
- Re: [hybi] Websocket: two protocols into one, and… Anthony Catel
- Re: [hybi] Websocket: two protocols into one, and… Iñaki Baz Castillo
- Re: [hybi] Websocket: two protocols into one, and… Willy Tarreau
- Re: [hybi] Websocket: two protocols into one, and… Anthony Catel
- Re: [hybi] Websocket: two protocols into one, and… Joel Martin
- Re: [hybi] Websocket: two protocols into one, and… Ian Fette (イアンフェッティ)
- Re: [hybi] Websocket: two protocols into one, and… Joel Martin
- Re: [hybi] Websocket: two protocols into one, and… Ian Fette (イアンフェッティ)
- Re: [hybi] Websocket: two protocols into one, and… Willy Tarreau
- Re: [hybi] Websocket: two protocols into one, and… Philipp Serafin
- Re: [hybi] Websocket: two protocols into one, and… Joel Martin
- Re: [hybi] Websocket: two protocols into one, and… Joel Martin
- Re: [hybi] Websocket: two protocols into one, and… Iñaki Baz Castillo
- Re: [hybi] Websocket: two protocols into one, and… Ian Fette (イアンフェッティ)
- Re: [hybi] Websocket: two protocols into one, and… Dave Cridland