Re: [hybi] IESG note?, was: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard

Willy Tarreau <> Tue, 06 September 2011 21:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D667421F8E93; Tue, 6 Sep 2011 14:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.014
X-Spam-Status: No, score=-4.014 tagged_above=-999 required=5 tests=[AWL=-1.971, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I-hRaLHg-bSh; Tue, 6 Sep 2011 14:23:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0BE3321F8E94; Tue, 6 Sep 2011 14:22:59 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id p86LOPLT016723; Tue, 6 Sep 2011 23:24:25 +0200
Date: Tue, 6 Sep 2011 23:24:25 +0200
From: Willy Tarreau <>
To: Stephen Farrell <>
Message-ID: <>
References: <> <> <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Cc: Server-Initiated HTTP <>,, "Roy T. Fielding" <>,
Subject: Re: [hybi] IESG note?, was: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Sep 2011 21:23:01 -0000

On Tue, Sep 06, 2011 at 10:05:48PM +0100, Stephen Farrell wrote:
> Hi Richard,
> On 09/06/2011 06:57 PM, Richard L. Barnes wrote:
> >IMO, this is a pretty strong argument against masking, given how low the 
> >observed rate of buggy intermediaries is (~0.0017%) and how high the 
> >observed rate of malware propagation is.
> I'm not sure what you're comparing there. Can you elaborate?
> In fact, I'm not sure I get the malware argument. Malware
> authors are also free to obfuscate or mask their stuff,
> when both sides of the conversation but not the intermediaries
> are controlled as would be the case here. Or maybe I'm
> missing something?

No you're not missing anything, some malware even communicate
via micro-messaging such as twitter nowadays, this is plain
valid HTTP !

> I personally think the masking thing is pretty ugly. But I
> have to (reluctantly) admit I think it does what its
> supposed to do. At this stage I think it comes down to
> either doing the masking or not using port 80.

Indeed. Also the masking is optional in the protocol but defined
as mandatory in clients. So some special applications might very
well not implement it at all and some day it's very likely that
we'll get rid of it by default, just like the web doesn't work
well if you omit to post a Host header today.