IETF Logo Mail Archive

Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

Adam Barth <ietf@adambarth.com> Sat, 27 November 2010 16:56 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4E54528C0D8 for <hybi@core3.amsl.com>; Sat, 27 Nov 2010 08:56:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.57
X-Spam-Level:
X-Spam-Status: No, score=-4.57 tagged_above=-999 required=5 tests=[AWL=-0.593, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9t5F7MULCEeg for <hybi@core3.amsl.com>; Sat, 27 Nov 2010 08:56:04 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 5B87428B797 for <hybi@ietf.org>; Sat, 27 Nov 2010 08:56:04 -0800 (PST)
Received: by ywh2 with SMTP id 2so1455869ywh.31 for <hybi@ietf.org>; Sat, 27 Nov 2010 08:57:10 -0800 (PST)
Received: by 10.91.43.1 with SMTP id v1mr6239361agj.208.1290877029871; Sat, 27 Nov 2010 08:57:09 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id t1sm2554564ano.23.2010.11.27.08.57.08 (version=SSLv3 cipher=RC4-MD5); Sat, 27 Nov 2010 08:57:08 -0800 (PST)
Received: by iwn40 with SMTP id 40so3857530iwn.31 for <hybi@ietf.org>; Sat, 27 Nov 2010 08:57:07 -0800 (PST)
Received: by 10.231.39.129 with SMTP id g1mr3094664ibe.178.1290877027471; Sat, 27 Nov 2010 08:57:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.12.77 with HTTP; Sat, 27 Nov 2010 08:56:37 -0800 (PST)
In-Reply-To: <AANLkTi=2M1ubEgR44PL7JpydkaZaOwwimuvhJq=E30+A@mail.gmail.com>
References: <AANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com> <AANLkTimSu1fOGCg0gqX2EFh4v-MkpZuY_-onm3+TO_Z0@mail.gmail.com> <AANLkTimYpdp-75BQSmhAUfyrQv19LvzF1ouznst+ANUG@mail.gmail.com> <AANLkTikbycTS51Ein9ybbZ52zcrViFCNBjCmpRGD3yCk@mail.gmail.com> <AANLkTim=_Ey_7tSJ0H8OKzip-UcwtJ=YMG5wf_f_qnty@mail.gmail.com> <20101127071644.GB26428@1wt.eu> <AANLkTi=Rqu-hm=Jy-GFf706smD8zEHbeD-oP7dNCN6Ro@mail.gmail.com> <20101127161638.GE26428@1wt.eu> <AANLkTi=snwcb8F89KjpD8tQUYSSBr6YF1OdaGgr1e9Xa@mail.gmail.com> <AANLkTi=2M1ubEgR44PL7JpydkaZaOwwimuvhJq=E30+A@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sat, 27 Nov 2010 08:56:37 -0800
Message-ID: <AANLkTimsuTj7aQttmVObPD1QWxeFmhscnuhnk1uAufsF@mail.gmail.com>
To: ifette@google.com
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Nov 2010 16:56:05 -0000

2010/11/27 Ian Fette (イアンフェッティ) <ifette@google.com>:
> On Sat, Nov 27, 2010 at 8:24 AM, Adam Barth <ietf@adambarth.com> wrote:
>> On Sat, Nov 27, 2010 at 8:16 AM, Willy Tarreau <w@1wt.eu> wrote:
>> > On Sat, Nov 27, 2010 at 07:51:17AM -0800, Eric Rescorla wrote:
>> >> What's the argument *for* having an insecure handshake?
>> >
>> > There's no argument *for* having an insecure handshake, there are
>> > arguments
>> > for having a safe HTTP-compliant handshake.
>>
>> The handshake we're proposing is both safe and HTTP compliant.
>
> I really appreciate all the work you and others have done with this paper. I
> have a few questions I'd like to ask if you wouldn't mind.
> #1, if we changed the non-bogus Host header to be the real host, do you
> believe that would have any substantial negative impact?

We didn't run that experiment, so I can't say for sure, but my
impression is that it would not have a substantial negative impact.
That mitigation is for the virtual hosting scenario where one virtual
host might accept the handshake on behalf of the whole physical host.
These attacks are, of course, much more expensive to mount than the
attacks described in the paper, which are quite cheap.

> #2 Is there anything else that is in the handshake proposal that is perhaps
> HTTP compliant by the letter but not the spirit? (Other than CONNECT vs
> UPGRADE -- I think you've made that case.)
> I personally don't care strongly enough about the above to call them a
> requirement, but a number of people on this list have raised the HTTP compat
> issue so I would like to better understand what that would imply with the
> proposal this paper suggests the group move forward with.

We've moved some of the bits around since the first draft to make the
handshake HTTP compliant.  For example, we used to send the metadata
in the entity body, but HTTP forbids CONNECT requests from having an
entity body, so we now send the data in a header.  I don't know of
anything in the current proposal that violates HTTP.  If folks point
out specific aspects they believe are in violation, I'm sure we can
find a way to fix them.

Adam

v2.23.0 | Report a Bug | By Email