IETF Logo Mail Archive

Re: [hybi] Moving to a CONNECT-based handshake

"Joe Hildebrand" <Joe.Hildebrand@webex.com> Tue, 30 November 2010 19:42 UTC

Return-Path: <Joe.Hildebrand@webex.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 34D523A6BE1 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 11:42:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.859
X-Spam-Level:
X-Spam-Status: No, score=-103.859 tagged_above=-999 required=5 tests=[AWL=0.671, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, RCVD_NUMERIC_HELO=2.067, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SDmkzeWwuR+0 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 11:42:24 -0800 (PST)
Received: from gw1.webex.com (gw1.webex.com [64.68.122.208]) by core3.amsl.com (Postfix) with SMTP id 2BA563A6BE2 for <hybi@ietf.org>; Tue, 30 Nov 2010 11:42:23 -0800 (PST)
Received: from SRV-EXSC03.webex.local ([192.168.252.197]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 30 Nov 2010 11:43:35 -0800
Received: from 66.114.175.12 ([66.114.175.12]) by SRV-EXSC03.webex.local ([192.168.252.200]) with Microsoft Exchange Server HTTP-DAV ; Tue, 30 Nov 2010 19:43:33 +0000
References: <op.vmzqkhszidj3kv@simon-pieterss-macbook.local> <4CF52558.9010100@gmx.de> <4CF529FF.9080708@opera.com> <BB31C4AB95A70042A256109D4619912605790150@XCH117CNC.rim.net> <AANLkTimzTvtho0m9HZSe6exgSwZxbCnxtmeJd2-G0aSK@mail.gmail.com> <BB31C4AB95A70042A256109D4619912605790178@XCH117CNC.rim.net> <BB31C4AB95A70042A256109D4619912605790190@XCH117CNC.rim.net> <AANLkTimQJz22RtoVnB16C8Mi4C8=QKB946wSR9BRsP85@mail.gmail.com> <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Thread-Topic: [hybi] Moving to a CONNECT-based handshake
Thread-Index: AcuQxt9yyV9V8kahQ82EShJPDHZu6A==
From: Joe Hildebrand <Joe.Hildebrand@webex.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-26--693648904"; charset="utf-8"
In-Reply-To: <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com>
Message-ID: <0FB073DB-9435-4DD6-8E7C-CD04DE75A104@webex.co>
Date: Tue, 30 Nov 2010 12:42:43 -0700
To: John Tamplin <jat@google.com>
MIME-Version: 1.0 (iPhone Mail 8C148)
X-OriginalArrivalTime: 30 Nov 2010 19:43:35.0393 (UTC) FILETIME=[E075C510:01CB90C6]
Cc: hybi@ietf.org
Subject: Re: [hybi] Moving to a CONNECT-based handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2010 19:42:25 -0000

That's been suggested in the past, and likely won't get us to consensus quicker. 

-- 
Joe Hildebrand

On Nov 30, 2010, at 12:13 PM, "John Tamplin" <jat@google.com> wrote:

> On Tue, Nov 30, 2010 at 1:39 PM, Ian Fette (イアンフェッティ) <ifette@google.com> wrote:
> So, can we make a decision? CCing Joe and Sal, I would like to see a call for consensus.
> 
> What exactly would we be making a call for consensus on?  It seems there are strong objectors to Adam's proposal.
> 
> I have implemented a slightly earlier version (using AES, different bogus host header, HTTP headers instead of JSON) of Adam's proposal and it seems to work fine.
> 
> I still have concerns about WebSocket traffic to port 80 getting through any non-transparent proxy however, since all of the ones I have seen are configured by default to only allow CONNECT requests to port 443.
> 
> Should we consider initially supporting only port 443?  With all the attacks on unencrypted connections (such as Firesheep making it easy and in the news), it wouldn't be a bad thing to avoid the problem entirely.  That would also solve the attacks Adam saw since the proxy can't decrypt the traffic to be confused by it, and it should make it easier to traverse such proxies since they already work that way to allow HTTPS connections.  We could have ws not check the certificate, while wss does, so ws wouldn't give protection against man-in-the-middle attacks but wouldn't require the servers to have real certificates (they could just use self-signed certs).  If we do this, the details of the handshake are less important -- probably the v03 handshake is fine.
> 
> The downsides would be:
> virtual hosting WebSocket connections requires TLS SNI support, which AFAIK means the only browser with signficant market share that doesn't support it is IE6
> client-side TLS SNI support seems weak (AFAIK, there is no way for a Java client to support it)
> some intermediaries may just block it if they can't filter/audit it
> some configuration overhead on servers
> some CPU overhead (though Google publications have indicated this is very low)
> Is this worth proposing on the group?
> 
> -- 
> John A. Tamplin
> Software Engineer (GWT), Google

v2.23.0 | Report a Bug | By Email