Re: [hybi] More feedback on WebSockets

Mark Nottingham <mnot@mnot.net> Tue, 27 October 2009 21:23 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C3553A68DE for <hybi@core3.amsl.com>; Tue, 27 Oct 2009 14:23:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.225
X-Spam-Level:
X-Spam-Status: No, score=-5.225 tagged_above=-999 required=5 tests=[AWL=-2.626, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jtmD2kbofVVq for <hybi@core3.amsl.com>; Tue, 27 Oct 2009 14:23:12 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id CFC633A68B1 for <hybi@ietf.org>; Tue, 27 Oct 2009 14:23:11 -0700 (PDT)
Received: from chancetrain-lm.mnot.net (unknown [118.209.5.85]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 63E37509E1; Tue, 27 Oct 2009 17:23:18 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1076)
Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <Pine.LNX.4.62.0910270912040.9145@hixie.dreamhostps.com>
Date: Wed, 28 Oct 2009 08:23:15 +1100
Content-Transfer-Encoding: 7bit
Message-Id: <FAEBA8A9-8142-4180-8026-1EDA8C408919@mnot.net>
References: <FDC38D4B-AB64-4F6B-B569-81D7A56DEC8D@mnot.net> <Pine.LNX.4.62.0910270912040.9145@hixie.dreamhostps.com>
To: Ian Hickson <ian@hixie.ch>
X-Mailer: Apple Mail (2.1076)
Cc: hybi@ietf.org
Subject: Re: [hybi] More feedback on WebSockets
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2009 21:23:13 -0000

On 27/10/2009, at 8:37 PM, Ian Hickson wrote:
>>
>> 2) The handshake protocol looks like HTTP, but is not (e.g., it's  
>> case-
>> sensitive and whitespace-sensitive). However, you define the default
>> ports for WS and WSS to be port 80 and 443, respectively.
>>
>> These ports are reserved for HTTP, at least initially; while you  
>> can use
>> HTTP to upgrade to a different protocol, defining a
>> HTTP-like-but-not-really-HTTP handshake protocol to run over them
>> initially conflicts with the designated use of the port.
>
> IANA told me to use ports 80 and 443 for WebSocket. See IANA ticket
> #257455. (I had originally requested new ports, ideally 81 and 815.)
>
> I disagree that the current handshake isn't like HTTP enough, though.

I didn't say it isn't like it (in fact, I specifically said it is); I  
said that it isn't HTTP.

Just as Starbucks is like coffee, but not; or a vehicle that only  
allows you to turn the steering wheel left is like a car, but not.  
There are many more examples I could produce, but decency suggests I  
stop.

You've effectively profiled the syntactic conventions of HTTP.  
Implementations that speak HTTP -- whether profiled or not -- should  
be able to do so confidently on the port allocated to it.


> The
> request is fully HTTP-compliant. What value would there be in  
> relaxing the
> rules on what WebSocket clients should send in the request? I don't
> understand the real-world case you are concerned about.

My concern is with the precedent it will set.

As far as real-world use cases, I think that your handshake has a  
significant chance of producing false positives with deployed systems;  
many so-called "transparent" (interception) proxies often take great  
pains to stay hidden, so that while the client and server will think  
they have an operative WebSocket connection, as soon as they try to do  
any bi-directional (i.e., not request/response) communication, it will  
fail in a non-obvious, slow way (e.g., hanging) that's hard to recover  
from.

You'd be better off using a handshake that looks as little like HTTP  
as possible, so as to fail more reliably and quickly. Or, preferably,  
another port.


>> 3) In section 1.6 (Establishing a Connection), you say
>>
>>> On the face of it, the simplest method would seem to be to use port
>>>   80 to get a direct connection to a Web Socket server.  Port 80
>>>   traffic, however, will often be intercepted by HTTP proxies, which
>>>   can lead to the connection failing to be established.
>>
>> Given this, is it a good idea for the default port for the WS  
>> scheme to
>> be port 80? Why not use a separate port and fall back to 443 with  
>> null
>> encryption, for example?
>
> That's what the spec used to require, but IANA requested that I use  
> ports
> 80 and 443 directly.

What was the reasoning behind this request? The ticket number you  
refer to isn't useful to those not involved.


> and how do I indicate that multiple subprotocols are in use on one
>> connection?
>
> Only one protocol can be in use per connection. If your protocol is  
> just
> another layer below the final application-level protocol, then your
> protocol would have its own equivalent mechanism.

Hmm. This seems like punting the problem to yet another layer.  
However, I do agree that offering a complete solution in WS is  
difficult at best.


--
Mark Nottingham     http://www.mnot.net/