IETF Logo Mail Archive

Re: [hybi] Insight you need to know: Browsers are at fault when servers crash

Maciej Stachowiak <mjs@apple.com> Mon, 26 July 2010 05:02 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CFEA43A69B2 for <hybi@core3.amsl.com>; Sun, 25 Jul 2010 22:02:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.273
X-Spam-Level:
X-Spam-Status: No, score=-106.273 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8QgQeMtr5kg for <hybi@core3.amsl.com>; Sun, 25 Jul 2010 22:02:23 -0700 (PDT)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 39BBE3A69D3 for <hybi@ietf.org>; Sun, 25 Jul 2010 22:02:22 -0700 (PDT)
Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out3.apple.com (Postfix) with ESMTP id 3418F9FA5AC6 for <hybi@ietf.org>; Sun, 25 Jul 2010 22:02:43 -0700 (PDT)
X-AuditID: 11807136-b7cc9ae000004162-e8-4c4d16f2a62d
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay15.apple.com (Apple SCV relay) with SMTP id 5F.D0.16738.2F61D4C4; Sun, 25 Jul 2010 22:02:42 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_v+wIPTzf1BszPhJB6cMFZw)"
Received: from [10.0.1.5] (c-69-181-42-237.hsd1.ca.comcast.net [69.181.42.237]) by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L650088YFCI1520@elliott.apple.com> for hybi@ietf.org; Sun, 25 Jul 2010 22:02:42 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <AANLkTi=Q-PVrdaWuOu3H=wUiphe6JB4C+LauSOXKozoY@mail.gmail.com>
Date: Sun, 25 Jul 2010 22:02:41 -0700
Message-id: <80FFB870-A0EF-4765-B172-9637638C1891@apple.com>
References: <AANLkTilfxps1wWjFrwrH_3Js6Q9E331AMKFRNHfeHcdL@mail.gmail.com> <AANLkTi=vPAnnK0=gE=YN10vt9b-f6sWXXcwK+La5SriO@mail.gmail.com> <623C6D70-B4AF-49EC-BA07-6F90BD0FFFBF@apple.com> <AANLkTi=Q-PVrdaWuOu3H=wUiphe6JB4C+LauSOXKozoY@mail.gmail.com>
To: Mike Belshe <mike@belshe.com>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: hybi@ietf.org
Subject: Re: [hybi] Insight you need to know: Browsers are at fault when servers crash
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 05:02:35 -0000

On Jul 25, 2010, at 9:00 PM, Mike Belshe wrote:

> On Sun, Jul 25, 2010 at 6:45 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> 
> On Jul 25, 2010, at 5:07 PM, Greg Wilkins wrote:
> 
> > Mike,
> >
> > thanks for translating the intent of the browser dudes and explaining why they are so concerned about this issue.
> >
> > I am certainly not opposed to taking measures to ensure that websocket is not a easy-touch for attackers to use against other protocols and also to make it more robust against attacks itself.    I think these are reasonable requirements.
> >
> > However, I still don't see why the only acceptable solution to these concerns has to be a rigid non compliant HTTP handshake with space counting and unframed bytes on the wire?
> >
> > I think this WG has to clearly accept the concerns of browser vendors and make sure that the requirements clearly capture them.     But in return, the browser vendors have to accept that there is more than one way to skin a cat, and perhaps we can consider alternative solutions than the one that is currently causing significant objections and real world problems.
> 
> From the perspective of a browser implementor:
> 
> (1) I definitely don't think that the current draft WebSocket protocol is the only possible effective defense against cross-protocol attacks.
> (2) If anything, I'm not sure that it is effective enough.
> (3) I believe there have been proposals made that are more effective at mitigating cross-protocol attacks than the current draft, such as the TLS next protocol mechanism. However, TLS-only has its own downsides.
> 
> Adam has also suggested encrypting the channel.  Even without TLS, this would go a long way toward preventing attackers from sending particular byte patterns over the wire, and could probably be done without adding round-trips.

I have a lot of trust in Adam on these kinds of issues, but I'll have to see the details to judge the security.

One question in my mind: would this design plausibly work on a port shared with a non-SSL Web server? Would it be able to go through non-SSL proxies? The inability to do these things is one of the largest downsides of TLS-only. Another downside is the need for a cert, but I imagine there is some way to use TLS without requiring certs.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email