Re: [hybi] Moving to a CONNECT-based handshake
"Joe Hildebrand" <Joe.Hildebrand@webex.com> Tue, 30 November 2010 19:42 UTC
Return-Path: <Joe.Hildebrand@webex.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 34D523A6BE1 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 11:42:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.859
X-Spam-Level:
X-Spam-Status: No, score=-103.859 tagged_above=-999 required=5 tests=[AWL=0.671, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, RCVD_NUMERIC_HELO=2.067, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SDmkzeWwuR+0 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 11:42:24 -0800 (PST)
Received: from gw1.webex.com (gw1.webex.com [64.68.122.208]) by core3.amsl.com (Postfix) with SMTP id 2BA563A6BE2 for <hybi@ietf.org>; Tue, 30 Nov 2010 11:42:23 -0800 (PST)
Received: from SRV-EXSC03.webex.local ([192.168.252.197]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 30 Nov 2010 11:43:35 -0800
Received: from 66.114.175.12 ([66.114.175.12]) by SRV-EXSC03.webex.local ([192.168.252.200]) with Microsoft Exchange Server HTTP-DAV ; Tue, 30 Nov 2010 19:43:33 +0000
References: <op.vmzqkhszidj3kv@simon-pieterss-macbook.local> <4CF52558.9010100@gmx.de> <4CF529FF.9080708@opera.com> <BB31C4AB95A70042A256109D4619912605790150@XCH117CNC.rim.net> <AANLkTimzTvtho0m9HZSe6exgSwZxbCnxtmeJd2-G0aSK@mail.gmail.com> <BB31C4AB95A70042A256109D4619912605790178@XCH117CNC.rim.net> <BB31C4AB95A70042A256109D4619912605790190@XCH117CNC.rim.net> <AANLkTimQJz22RtoVnB16C8Mi4C8=QKB946wSR9BRsP85@mail.gmail.com> <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com>
Content-Transfer-Encoding: 7bit
Thread-Topic: [hybi] Moving to a CONNECT-based handshake
Thread-Index: AcuQxt9yyV9V8kahQ82EShJPDHZu6A==
From: Joe Hildebrand <Joe.Hildebrand@webex.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-26--693648904"; charset="utf-8"
In-Reply-To: <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com>
Message-ID: <0FB073DB-9435-4DD6-8E7C-CD04DE75A104@webex.co>
Date: Tue, 30 Nov 2010 12:42:43 -0700
To: John Tamplin <jat@google.com>
MIME-Version: 1.0 (iPhone Mail 8C148)
X-OriginalArrivalTime: 30 Nov 2010 19:43:35.0393 (UTC) FILETIME=[E075C510:01CB90C6]
Cc: hybi@ietf.org
Subject: Re: [hybi] Moving to a CONNECT-based handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2010 19:42:25 -0000
That's been suggested in the past, and likely won't get us to consensus quicker. -- Joe Hildebrand On Nov 30, 2010, at 12:13 PM, "John Tamplin" <jat@google.com> wrote: > On Tue, Nov 30, 2010 at 1:39 PM, Ian Fette (イアンフェッティ) <ifette@google.com> wrote: > So, can we make a decision? CCing Joe and Sal, I would like to see a call for consensus. > > What exactly would we be making a call for consensus on? It seems there are strong objectors to Adam's proposal. > > I have implemented a slightly earlier version (using AES, different bogus host header, HTTP headers instead of JSON) of Adam's proposal and it seems to work fine. > > I still have concerns about WebSocket traffic to port 80 getting through any non-transparent proxy however, since all of the ones I have seen are configured by default to only allow CONNECT requests to port 443. > > Should we consider initially supporting only port 443? With all the attacks on unencrypted connections (such as Firesheep making it easy and in the news), it wouldn't be a bad thing to avoid the problem entirely. That would also solve the attacks Adam saw since the proxy can't decrypt the traffic to be confused by it, and it should make it easier to traverse such proxies since they already work that way to allow HTTPS connections. We could have ws not check the certificate, while wss does, so ws wouldn't give protection against man-in-the-middle attacks but wouldn't require the servers to have real certificates (they could just use self-signed certs). If we do this, the details of the handshake are less important -- probably the v03 handshake is fine. > > The downsides would be: > virtual hosting WebSocket connections requires TLS SNI support, which AFAIK means the only browser with signficant market share that doesn't support it is IE6 > client-side TLS SNI support seems weak (AFAIK, there is no way for a Java client to support it) > some intermediaries may just block it if they can't filter/audit it > some configuration overhead on servers > some CPU overhead (though Google publications have indicated this is very low) > Is this worth proposing on the group? > > -- > John A. Tamplin > Software Engineer (GWT), Google
- [hybi] Moving to a CONNECT-based handshake Simon Pieters
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake James Graham
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Anne van Kesteren
- Re: [hybi] Moving to a CONNECT-based handshake Anne van Kesteren
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Scott Ferguson
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Joe Hildebrand
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Pat McManus @Mozilla
- Re: [hybi] Moving to a CONNECT-based handshake Greg Wilkins
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Jamie Lokier
- Re: [hybi] Moving to a CONNECT-based handshake Greg Wilkins
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Roy T. Fielding
- Re: [hybi] Moving to a CONNECT-based handshake Adam Barth
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Roy T. Fielding
- Re: [hybi] Moving to a CONNECT-based handshake Adam Barth
- Re: [hybi] Moving to a CONNECT-based handshake Bjoern Hoehrmann