Re: [hybi] Why not just use ssh?
Willy Tarreau <w@1wt.eu> Wed, 01 September 2010 21:19 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E02D43A68A3 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 14:19:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.413
X-Spam-Level:
X-Spam-Status: No, score=-2.413 tagged_above=-999 required=5 tests=[AWL=-0.970, BAYES_00=-2.599, HELO_IS_SMALL6=0.556, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwDjTXKGGf25 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 14:19:33 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 926233A6873 for <hybi@ietf.org>; Wed, 1 Sep 2010 14:19:31 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o81LJx7Z010283; Wed, 1 Sep 2010 23:19:59 +0200
Date: Wed, 01 Sep 2010 23:19:59 +0200
From: Willy Tarreau <w@1wt.eu>
To: Adam Barth <ietf@adambarth.com>
Message-ID: <20100901211959.GA10275@1wt.eu>
References: <d48398080b610405d982ffd924f58e27.squirrel@sm.webmail.pair.com> <AANLkTin8CiHFoOSFdcRPern5YY-FdODC4GST+BrP3t_j@mail.gmail.com> <AANLkTi=fn2JE7a0b_0KFFLwq3eG_-xnaRazXAMPGi0N3@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBCBD@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTinE1MB10nUhpnU-SC+aLjPmFyu3NhjLC1-wMmW7@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBEF4@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTim5Wsfohbn2S0jpm6CDkq+xFcpzDTRWJ0YXWbcg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTim5Wsfohbn2S0jpm6CDkq+xFcpzDTRWJ0YXWbcg@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Why not just use ssh?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 21:19:34 -0000
Hello Adam, On Wed, Sep 01, 2010 at 01:48:58PM -0700, Adam Barth wrote: > I claim that the TLS+NPN protocol that I sent to the list earlier > resists cross-protocol attacks, which are a clear and plausible threat > model. The security argument is fairly straightforward. > > As for complexity, the TLS-only model is less complex than the > existing handshake, as evidenced by the fact that I would describe it > completely simply by deleting text from the current draft. If we want to be fair, we should say that the TLS-only model requires a lot more additional capabilities on intermediates and servers, and certificate management on the server. We're not comparing apples to apples. Also, the current text is heavy because it tries to redefine something as complex as HTTP without telling it is HTTP. So basically you have 2616 in the draft. Having a paragraph stating that it relies on "Upgrade: WebSocket" in requests and responses with a 101 in the response (as 2817 explains it) would be a lot smaller and straightforward. Also, I don't see why TLS could not be used on top of HTTP as is proposed by 2817. This has the advantage of HTTP being easy to handle with existing infrastructure and offers the better protection of TLS. Just a few thoughts. Willy
- Re: [hybi] Why not just use ssh? Shelby Moore
- Re: [hybi] Why not just use ssh? Shelby Moore
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? John Tamplin
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? John Tamplin
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Shelby Moore