IETF Logo Mail Archive

Re: [hybi] Extensibility mechanisms?

Mike Belshe <mike@belshe.com> Fri, 16 April 2010 21:34 UTC

Return-Path: <mike@belshe.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C12FE3A6BB6 for <hybi@core3.amsl.com>; Fri, 16 Apr 2010 14:34:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.624
X-Spam-Level:
X-Spam-Status: No, score=0.624 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2exEGl0VsLy for <hybi@core3.amsl.com>; Fri, 16 Apr 2010 14:34:07 -0700 (PDT)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id 35FCA28C27D for <hybi@ietf.org>; Fri, 16 Apr 2010 14:30:26 -0700 (PDT)
Received: by pvf33 with SMTP id 33so2054234pvf.31 for <hybi@ietf.org>; Fri, 16 Apr 2010 14:30:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.38.9 with HTTP; Fri, 16 Apr 2010 14:21:57 -0700 (PDT)
In-Reply-To: <Pine.LNX.4.64.1004161952530.751@ps20323.dreamhostps.com>
References: <h2w5c902b9e1004152345j992b815bz5f8d38f06a19181a@mail.gmail.com> <Pine.LNX.4.64.1004160701250.751@ps20323.dreamhostps.com> <4BC860FD.8080007@webtide.com> <Pine.LNX.4.64.1004161952530.751@ps20323.dreamhostps.com>
Date: Fri, 16 Apr 2010 14:21:57 -0700
Received: by 10.142.66.35 with SMTP id o35mr1240982wfa.300.1271452917471; Fri, 16 Apr 2010 14:21:57 -0700 (PDT)
Message-ID: <q2v2a10ed241004161421n164bc21etd35f1d753f1aed6f@mail.gmail.com>
From: Mike Belshe <mike@belshe.com>
To: Ian Hickson <ian@hixie.ch>
Content-Type: multipart/alternative; boundary="001636e0a6497e9a7c04846133bf"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Extensibility mechanisms?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2010 21:34:08 -0000

On Fri, Apr 16, 2010 at 1:13 PM, Ian Hickson <ian@hixie.ch> wrote:

> On Fri, 16 Apr 2010, Greg Wilkins wrote:
> >
> > The whole point of having a standard like websocket, is so that the
> > network infrastructure can implement the RFC and then we have known
> > semantics over that connection that intermediaries can at least handle
> > correctly, but may also do clever stuff with.
>
> That wasn't even on my list of reasons for originally coming up with
> TCPConnection, let alone the main reason.
>
> The main reason for the Web Socket protocol is to have one protocol that
> the browsers can all implement in an interoperable fashion so that servers
> can implement things once and have them work with all browsers. In the
> ideal deployment the connection is wrapped in end-to-end TLS, so the
> intermediaries can't do anything with it. There were only two reasons for
> even allowing unencrypted Web Socket originally: requiring amateurs to
> figure out TLS seemed like too high a bar, and there is still some concern
> that when the connection is being used for entirely public information,
> the TLS connection overhead is too expensive to justify.
>

We've done extensive tests on TLS.  There are four latency issues:
  a) CPU on the handshake. TLS is now cheap on modern hardware, and it gets
cheaper every day.  I'm sure there are a few sites which might have some
trouble migrating to 100% TLS, but when designing for protocols of the
future, this is not an issue (Moore's law!).  Round trips are orders of
magnitude more expensive than the CPU overhead of the handshake.  We do need
to make sure TLS implementations pick up modern extensions like client-side
session tickets.
  b) CPU on bulk encryption.  Once you get beyond the handshake, you can
negotiate RC4; we've benchmarked it, and it is the same speed as using the
null-cipher.  Using other ciphers are sometimes expensive, each is
different.
  c) Handshake Round Trips.  The extra round trip for TLS is the worst part
of TLS from a latency perspective (100ms to resume a session).  But,
WebSockets has a handshake of its own which is also 100ms!  So, if you're
going to take a handshake, you may as well get crypto while you do it - *it's
free!*
  d) Bandwidth.  TLS does use 2-3% more bandwidth than non-TLS on typical
page loads.  This is largely weighted in the handshake overhead, so it gets
amortized if you use the websocket over time.

Another common argument is the "I don't want to buy a certificate" argument,
but there are now CAs offering free certs which are trusted in all browsers'
root-ca lists.

Mike



>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email