IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

Greg Wilkins <gregw@webtide.com> Wed, 08 December 2010 09:26 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 29A423A6879 for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 01:26:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.888
X-Spam-Level:
X-Spam-Status: No, score=-2.888 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BwuJCf1taXp for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 01:26:36 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 27DC93A6809 for <hybi@ietf.org>; Wed, 8 Dec 2010 01:26:36 -0800 (PST)
Received: by qwg5 with SMTP id 5so1091486qwg.31 for <hybi@ietf.org>; Wed, 08 Dec 2010 01:28:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.219.212 with SMTP id hv20mr6731464qcb.223.1291800483078; Wed, 08 Dec 2010 01:28:03 -0800 (PST)
Sender: gregw@intalio.com
Received: by 10.220.167.203 with HTTP; Wed, 8 Dec 2010 01:28:02 -0800 (PST)
In-Reply-To: <CF412E56-591F-46F4-AC45-F21D40E30CC9@apple.com>
References: <AANLkTin6=8_Bhn2YseoSHGh1OSkQzsYrTW=fMiPvYps1@mail.gmail.com> <20101126000352.ad396b9a.eric@bisonsystems.net> <AANLkTimzQyG4hugOvHqoNrBrZFA4fGbGXQ7MZ2i+68dO@mail.gmail.com> <BB947F6D-15AA-455D-B830-5E12C80C1ACD@mnot.net> <81870DB1-B177-4253-8233-52C4168BE99D@apple.com> <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <57D4B885-B1D8-482F-8747-6460C0FFF166@apple.com> <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net> <4F2580A7-79C2-4B0A-BCE5-7FB6D9AA0ED7@apple.com> <C51C08FD-989E-43AC-A17B-EA4483CC2F9C@mnot.net> <CF412E56-591F-46F4-AC45-F21D40E30CC9@apple.com>
Date: Wed, 08 Dec 2010 10:28:02 +0100
X-Google-Sender-Auth: 6kM5DXQ9kjbhLdpeT_3zrbyO2FQ
Message-ID: <AANLkTikKmz0tgy6d3f89ZwkghZDPpChDnJXk87e53=4k@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 09:26:37 -0000

On 8 December 2010 00:47, Maciej Stachowiak <mjs@apple.com> wrote:
> The main complaint about CONNECT from server folks seems to be literally a
> question of semantics. There is also the related practical issue of having
> to turn off alerts on CONNECT attempts if you want to serve WebSocket.

Maciej,

While I agree that semantics is an element of the complaints against
CONNECT, I do not think it is the main complaint.

One part of the  technical complaint is that CONNECT is not a method
that should arrive at an origin server and has been the basis of past
attacks.   It is not just a matter of turning off alerts for CONNECTs
arriving in a data centre so that websocket can work, as the concern
would be what other attacks are you opening up on other infrastructure
by allowing connects.   If the inclusion of websocket headers is
sufficient to turn off attack alerts, then we may be re-enabling
classes of attack that have previously been dealt with.

Another complaint of substance with the CONNECT proposal as it has
been made is the bogus host headers, which likewise can break a lot of
existing HTTP infrastructure.

I'm not saying these issues cannot be dealt with, but they also cannot
be dismissed out of hand. We have very senior/experienced people
saying that letting CONNECT requests reach the servers is going to be
a real problem.  We need to address that will a little more rigour
than suggesting we just turn off alerts.

regards

v2.23.0 | Report a Bug | By Email