IETF Logo Mail Archive

Re: [hybi] Why not just use ssh?

Eric Rescorla <ekr@rtfm.com> Wed, 01 September 2010 15:47 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 489813A6922 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 08:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.605
X-Spam-Level:
X-Spam-Status: No, score=-101.605 tagged_above=-999 required=5 tests=[AWL=0.371, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEKNMFN5vCwR for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 08:47:36 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 93BE53A6816 for <hybi@ietf.org>; Wed, 1 Sep 2010 08:47:35 -0700 (PDT)
Received: by bwz9 with SMTP id 9so6559796bwz.31 for <hybi@ietf.org>; Wed, 01 Sep 2010 08:48:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.204.6.75 with SMTP id 11mr5667033bky.95.1283356084845; Wed, 01 Sep 2010 08:48:04 -0700 (PDT)
Received: by 10.204.144.149 with HTTP; Wed, 1 Sep 2010 08:48:04 -0700 (PDT)
In-Reply-To: <AANLkTimWWkJR88z0J05suYyC=RZ2PRMfF5K1VNW-Bpn-@mail.gmail.com>
References: <d48398080b610405d982ffd924f58e27.squirrel@sm.webmail.pair.com> <AANLkTin8CiHFoOSFdcRPern5YY-FdODC4GST+BrP3t_j@mail.gmail.com> <AANLkTi=fn2JE7a0b_0KFFLwq3eG_-xnaRazXAMPGi0N3@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBCBD@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTinE1MB10nUhpnU-SC+aLjPmFyu3NhjLC1-wMmW7@mail.gmail.com> <AANLkTi=b==PVb9i3VeNo+JRzQwKrr-5=t14HH2m=Tc5Z@mail.gmail.com> <20100901054906.GB5888@1wt.eu> <AANLkTimRASrVWbM-vrcA+DVBNR1vD_MExrrmZtKoAXKk@mail.gmail.com> <AANLkTimWWkJR88z0J05suYyC=RZ2PRMfF5K1VNW-Bpn-@mail.gmail.com>
Date: Wed, 01 Sep 2010 08:48:04 -0700
Message-ID: <AANLkTikoYFUishfJiCgzOBTkjo9fCF0BEySrBcK8iBoq@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: John Tamplin <jat@google.com>
Content-Type: multipart/alternative; boundary="000e0cd1d1248ebc6c048f349fa7"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Why not just use ssh?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 15:47:38 -0000

Agreed. I'm merely addressing the question of monitoring.

The overhead question is a direct technical tradeoff between the security
benefits
of TLS and the additional overhead. (minimum 15 bytes with TLS NULL). [0]

-Ekr

[0] We did at one point design a header compression method but it has never
been standardized. The integrity check cannot really be compressed, though
one could imagine specifying an even shorter MAC with correspondingly
less security.

On Wed, Sep 1, 2010 at 8:43 AM, John Tamplin <jat@google.com> wrote:

> On Wed, Sep 1, 2010 at 11:20 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >  ... The natural move would be to say that:
> >
> >     ws: -> TLS with NULL cipher
> >     wss: -> TLS with normal cipher.
>
> As I understand it, even with the NULL cipher you still get TLS record
> overhead which includes a hash of the record contents.  For small
> frames, that will be noticeable overhead.
>
> --
> John A. Tamplin
> Software Engineer (GWT), Google
>

v2.23.0 | Report a Bug | By Email