Re: [hybi] Experiment comparing Upgrade and CONNECT
Michael Platov <michael.platov@gmail.com> Tue, 30 November 2010 12:39 UTC
Return-Path: <michael.platov@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D27D928C114 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 04:39:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.383
X-Spam-Level:
X-Spam-Status: No, score=-2.383 tagged_above=-999 required=5 tests=[AWL=0.215, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UGHUHYopfoM for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 04:39:48 -0800 (PST)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by core3.amsl.com (Postfix) with ESMTP id 9379A28C0ED for <hybi@ietf.org>; Tue, 30 Nov 2010 04:39:47 -0800 (PST)
Received: by eyd10 with SMTP id 10so2788231eyd.31 for <hybi@ietf.org>; Tue, 30 Nov 2010 04:40:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:content-type:reply-to :subject:date:message-id:to:mime-version:x-mailer; bh=sy8B+1vVQhqZTlKXCpd+RhkhqTBUn0SjOOlCfbwgm94=; b=kTk87p60X2U/HjHN6qeY2n5by5apsPiKHP5nCnctxZXrdhx6zUUeJKPgHGljSdvyLb dSrASk9RP9IHjkAYPurz3b632FXmC5o+4/hbqoSzr5eh1FmHK/IWuSlRFLVgr9GqYu1q bUulmMPsGHXbiQFK/tHjQTZJ1Kwca0UI/fTO0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:reply-to:subject:date:message-id:to:mime-version :x-mailer; b=m5/DogFIcGoWSanFEMP4NEX/Wnct/GW8jxy7RVHMUyOWdscTWK/g5pMmEBZeunXf3c d9+e8ZJgDAIBiRwfikc8HH+m2hELpP1Ib3aKOVjc4e3jbiFraVNp8BPUt9wAy24ntozj wnBLGJvo773v4NmwSwh8Lp85JzW/iMugF8494=
Received: by 10.213.16.207 with SMTP id p15mr1928377eba.91.1291120858107; Tue, 30 Nov 2010 04:40:58 -0800 (PST)
Received: from [10.0.1.2] ([91.205.121.179]) by mx.google.com with ESMTPS id x54sm6324757eeh.17.2010.11.30.04.40.56 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 30 Nov 2010 04:40:57 -0800 (PST)
From: Michael Platov <michael.platov@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-1--718961131"
Date: Tue, 30 Nov 2010 15:40:51 +0300
Message-Id: <70169E25-90F5-448C-A4D9-2452D4D0690F@gmail.com>
To: hybi@ietf.org
Mime-Version: 1.0 (Apple Message framework v1082)
X-Mailer: Apple Mail (2.1082)
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2010 12:39:50 -0000
> On 27.11.2010 00:48, Adam Barth wrote: >> David Huang, Eric Chen, Eric Rescorla, Collin Jackson, and I have been >> experimenting with the security of the Upgrade-based and CONNECT-based >> WebSocket handshakes. Please find a paper detailing our findings at >> this location: >> >> http://www.adambarth.com/experimental/websocket.pdf >> ... > > Very interesting stuff. > > How about: > > 1) Installing a permanent test service which would allow people to check > whether they have broken intermediaries in the path, and then We did just that two month ago to troubleshot the problems our users were having with WebSocket-enabled browsers. We've being using websockets (as an additional option, when they are available in a browser and work for the end user) and to help troubleshooting various problems we created a test service: http://websocketstest.com/ The test consists of connecting to a websocket-enabled server and sending some data back and forth. Same procedure is repeated for 3 different ports. A client is considered to have a working websocket connection if data exchange succeed at least for one of the websocket ports. For comparison, similar test is also run using Comet as a transport. Quick summary after running the test for 2 month (more than 4000 browsers tested): WebSocket browser support: 30% WebSocket success rate: 72% More detailed information on the experiment can be found here: http://websocketstest.com/ws/stats Our experience so far showed that there are two biggest obstacles for Websockets in the wild: 1. Proxy servers (or other intermediaries). We're trying to detect proxies by HTTP headers, but it seems that many proxies don't set them. Judging by ones who set them (~4% of all failed connections), we can say that some of the incompatible proxies include various version of Squid and Microsoft ISA Server (there are others, but it's hard to identify them by their headers). We also have seen some problems with squid in transparent proxying setup. 2. Antivirus software installed on the PCs of the end users. We found that some antiviruses are blocking websocket connections. For some of the them, adding a simple exception helps to resolve the issue. Most of the users aren't going or not able to update their antivirus rules anyway, so hopefully antivirus vendors will address this issue once the usage of the websockets increases. > > 2) Re-run the experiment again at a later point. > We'll probably do that once the new version of the protocol we'll be supported by the browsers of our end users. > Also: > > 3) Stop shipping implementations of the so-called "76" protocol; we > know, that the current version performs better because of the framing, > right? Even in its present form, websockets are useful as a backup option to workaround rare issue with Comet that are present in some environments. However, a version of a WebScoket protocol with better compatibility with existing HTTP-infrastructure (e.g. more HTTP-compatible handshake that works with already deployed HTTP proxies) is very anticipated. > > Best regards, Julian Best regards, Michael
- Re: [hybi] Experiment comparing Upgrade and CONNE… Michael Platov
- Re: [hybi] Experiment comparing Upgrade and CONNE… Joe Mason
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth