Re: [hybi] deflate-stream and masking

David Endicott <dendicott@gmail.com> Wed, 20 July 2011 18:55 UTC

Return-Path: <dendicott@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C4A221F8AA8 for <hybi@ietfa.amsl.com>; Wed, 20 Jul 2011 11:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVQya9P44JHm for <hybi@ietfa.amsl.com>; Wed, 20 Jul 2011 11:55:48 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 00DBF21F8ABE for <hybi@ietf.org>; Wed, 20 Jul 2011 11:55:47 -0700 (PDT)
Received: by wyj26 with SMTP id 26so427181wyj.31 for <hybi@ietf.org>; Wed, 20 Jul 2011 11:55:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ko7PPVjuB6Go99RdsIBt/SqsFcH/SoHs/1fMhlTwcF8=; b=MTwzAoRtH3hTi6JeV6KRnFQ3sQl5FwqV9Y4mNj+3sqrm+IbKyZgD8w3oV4CjPwq84+ hA1QgKjUk8ry/qKta94+4Is5R8LanorSlKntc3aw/aYXTzhvK8VQY7a5Jxb52DwdY8HR 50uIN3qSp/a7H5mh4bi0okc05lNg4WAkwfDas=
MIME-Version: 1.0
Received: by 10.217.6.82 with SMTP id x60mr25581wes.18.1311188101159; Wed, 20 Jul 2011 11:55:01 -0700 (PDT)
Received: by 10.216.39.197 with HTTP; Wed, 20 Jul 2011 11:55:00 -0700 (PDT)
In-Reply-To: <00b801cc470a$d2d5e520$7881af60$@noemax.com>
References: <BANLkTi=UVMAd1nER6mRBe7zoD29CSbCkGA@mail.gmail.com> <CAH_y2NFMdr1ZU2dfy9mCRepZc2R_hnzg0oa3kYPKhWY-FX_8Og@mail.gmail.com> <CAE8AN_V-P2L0mVwjPQYxAypJ67=QWKAhWnDqrM_XmDQXjJbEHA@mail.gmail.com> <CAP992=HmZM9H2i+rFLVNrJVzfQT2qSPzWRm4gQXc2wTQ8fdBTA@mail.gmail.com> <00b801cc470a$d2d5e520$7881af60$@noemax.com>
Date: Wed, 20 Jul 2011 14:55:00 -0400
Message-ID: <CAP992=Gvz7CT=fZSX=t_7J3YAGF7kKsA9a6M0UQJP3HXxMBANQ@mail.gmail.com>
From: David Endicott <dendicott@gmail.com>
To: Alexander Philippou <alex@noemax.com>
Content-Type: multipart/alternative; boundary=20cf301fb94d00d95f04a884c5c8
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] deflate-stream and masking
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 18:55:49 -0000

I'm basing my position on Greg's comment above that:

> I've just noticed that the w3c is currently intending to make support
> for deflate-stream mandatory!
> http://www.w3.org/Bugs/Public/show_bug.cgi?id=12917

If I cannot avoid it in my implementations (because browsers make it
mandatory), then I'm strongly opposed.

If it remains an optional extension, then I revert to a Don't Care position.


On Wed, Jul 20, 2011 at 2:28 PM, Alexander Philippou <alex@noemax.com>wrote;wrote:

> But currently it is an extension and thus optional, isn't it?****
>
> ** **
>
> ** **
>
> *From:* hybi-bounces@ietf.org [mailto:hybi-bounces@ietf.org] *On Behalf Of
> *David Endicott
> *Sent:* Wednesday 20 July 2011 21:10
> *To:* Brian
> *Cc:* Hybi; Greg Wilkins
>
> *Subject:* Re: [hybi] deflate-stream and masking****
>
> ** **
>
> Unlurking to agree.     ****
>
> ** **
>
> When it was optional it was avoidable and non-impairing.   It should not be
> mandatory.    ****
>
> ** **
>
> +6.02 x10^23 votes for removal from specification (which when deflated is
> just +1, I believe)****
>
> ** **
>
> ** **
>
> On Wed, Jul 20, 2011 at 5:50 AM, Brian <theturtle32@gmail.com> wrote:****
>
> +500.  deflate-stream has always been utterly ridiculous in light of
> masking.  It really should get the axe, and with extreme prejudice.  Why is
> it still in the spec?  I don't recall anyone citing a reasonable reason for
> keeping it, but there have been many very good arguments against it.  It's
> not even very clearly specified in the document -- when I implemented it in
> my Flash client, I had to read the source code of Andy Green's
> implementation to figure out how it was supposed to work -- his
> implementation became my specification for the extension.****
>
> ** **
>
> Brian****
>
> ** **
>
> On Tue, Jul 19, 2011 at 7:34 PM, Greg Wilkins <gregw@intalio.com> wrote:**
> **
>
> I've just noticed that the w3c is currently intending to make support
> for deflate-stream mandatory!
>
>  http://www.w3.org/Bugs/Public/show_bug.cgi?id=12917
>
> This moves this extension from being useless, but mostly harmless, to
> being a major impost on servers and intermediaries.
> If the browser make this mandatory, then servers will obviously have
> to support it at a cost of extra CPU, extra buffers but for no
> significant savings in bandwidth.
> Intermediaries that wish to act on frame boundaries will also have to
> implement it.
>
> This illustrate that having silly options always puts you at risk of
> people taking you up on those options.
>
> This extension is demonstrably broken and needs to be either fixed or
> removed.
>
> regards****
>
>
>
>
> On 20 June 2011 16:33, Greg Wilkins <gregw@intalio.com> wrote:
> > As part of my continuing campaign against including deflate-stream in
> > the specification as a standard extension, I did a quick test of how
> > well it works when applied to masked frames.
> >
> > I took a days worth of traffic from an IRC channel and wrapped it up
> > as JSON messages sent as websocket frames.
> > There were 487 message that looked like:
> >
> >     {channel:"#webtide", username:"tbecker", text:"joakime: jenkins
> > had issues pulling from github a couple of times  last week"}
> >
> > As an unmasked WS stream, it was 50675 bytes, and as a masked stream
> > is was 52623 bytes.
> > I then compressed both these streams with gzip and got 13306 bytes for
> > unmasked and 51704 bytes for the masked!!!!
> >
> > So for this very typical example, masking was sufficiently random to
> > completely negate the benefits of compression.
> >
> > So the deflate-stream "extension" is:
> >
> >  + next to useless for inbound traffic
> >  + breaks all the rules of what an extension can do
> >  + is potentially vulnerable to injection as attackers can send
> > repeated patterns that may subvert masking
> >  + can be replaced by the in-frame compression extension already
> proposed.
> >  + was inserted in the draft with little or no discussion and without
> > clear consensus.
> >
> > Can I call for a straw poll of who wants to keep this extension in the
> spec?
> >
> >
> >
> > regards
> >
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi****
>
> ** **
>
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi****
>
> ** **
>