IETF Logo Mail Archive

Re: [hybi] Why not just use ssh?

Willy Tarreau <w@1wt.eu> Wed, 01 September 2010 21:19 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E02D43A68A3 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 14:19:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.413
X-Spam-Level:
X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=-0.970, BAYES_00=-2.599, HELO_IS_SMALL6=0.556, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwDjTXKGGf25 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 14:19:33 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 926233A6873 for <hybi@ietf.org>; Wed, 1 Sep 2010 14:19:31 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o81LJx7Z010283; Wed, 1 Sep 2010 23:19:59 +0200
Date: Wed, 01 Sep 2010 23:19:59 +0200
From: Willy Tarreau <w@1wt.eu>
To: Adam Barth <ietf@adambarth.com>
Message-ID: <20100901211959.GA10275@1wt.eu>
References: <d48398080b610405d982ffd924f58e27.squirrel@sm.webmail.pair.com> <AANLkTin8CiHFoOSFdcRPern5YY-FdODC4GST+BrP3t_j@mail.gmail.com> <AANLkTi=fn2JE7a0b_0KFFLwq3eG_-xnaRazXAMPGi0N3@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBCBD@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTinE1MB10nUhpnU-SC+aLjPmFyu3NhjLC1-wMmW7@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBEF4@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTim5Wsfohbn2S0jpm6CDkq+xFcpzDTRWJ0YXWbcg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTim5Wsfohbn2S0jpm6CDkq+xFcpzDTRWJ0YXWbcg@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Why not just use ssh?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 21:19:34 -0000

Hello Adam,

On Wed, Sep 01, 2010 at 01:48:58PM -0700, Adam Barth wrote:
> I claim that the TLS+NPN protocol that I sent to the list earlier
> resists cross-protocol attacks, which are a clear and plausible threat
> model.  The security argument is fairly straightforward.
> 
> As for complexity, the TLS-only model is less complex than the
> existing handshake, as evidenced by the fact that I would describe it
> completely simply by deleting text from the current draft.

If we want to be fair, we should say that the TLS-only model requires
a lot more additional capabilities on intermediates and servers, and
certificate management on the server. We're not comparing apples to
apples. Also, the current text is heavy because it tries to redefine
something as complex as HTTP without telling it is HTTP. So basically
you have 2616 in the draft. Having a paragraph stating that it relies
on "Upgrade: WebSocket" in requests and responses with a 101 in the
response (as 2817 explains it) would be a lot smaller and straightforward.

Also, I don't see why TLS could not be used on top of HTTP as is proposed
by 2817. This has the advantage of HTTP being easy to handle with existing
infrastructure and offers the better protection of TLS.

Just a few thoughts.

Willy

v2.23.0 | Report a Bug | By Email