IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

Zhong Yu <zhong.j.yu@gmail.com> Thu, 09 December 2010 06:53 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 702583A6A0E for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 22:53:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.442
X-Spam-Level:
X-Spam-Status: No, score=-2.442 tagged_above=-999 required=5 tests=[AWL=-0.682, BAYES_00=-2.599, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PN7zjYa8kKW for <hybi@core3.amsl.com>; Wed, 8 Dec 2010 22:53:10 -0800 (PST)
Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by core3.amsl.com (Postfix) with ESMTP id 7E7F33A6A1D for <hybi@ietf.org>; Wed, 8 Dec 2010 22:53:09 -0800 (PST)
Received: by ewy6 with SMTP id 6so1469047ewy.40 for <hybi@ietf.org>; Wed, 08 Dec 2010 22:54:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=pY59V3T6RQD6Vv9fXYBCwkS0OplSasjnoi02pLiIhho=; b=mxOzPYT0NJ4f2LdlIX6BfKPvJYSdEa6argMPPZ/Q38QgSoiSiDGrb6zPPcf1TYfYFM MLwRDr6Zpbc5QZlXuijLeYjipeY0HUYxN33XJdw/n6TsCLtza5bQG9w/xSfWm2FPi3PT F59NeP4XZR2CQoDBfajx4lKYqepQLgX/Y5qBM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=B5V79YZLURR74V5pDZ5GBeZARZMoXB6/TyaxBeVJpDmWtO3Wj23s/MMDg9KPxyvEsE nQrUzz0s692tAZrFJtoBLsfyW/FmH8Frho870Z6miPGY2RWBSpmnblthmM0KD6dYHjqe Ynr78jkJbdAeTkUHpLqEjzBCLXNZ93d/wjYFo=
MIME-Version: 1.0
Received: by 10.213.32.6 with SMTP id a6mr10369060ebd.62.1291877677638; Wed, 08 Dec 2010 22:54:37 -0800 (PST)
Received: by 10.213.16.142 with HTTP; Wed, 8 Dec 2010 22:54:37 -0800 (PST)
In-Reply-To: <AANLkTi=k0Czvm_pW=N3zPAGZdKyqZGduGJUp8dk3PByX@mail.gmail.com>
References: <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <57D4B885-B1D8-482F-8747-6460C0FFF166@apple.com> <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net> <4F2580A7-79C2-4B0A-BCE5-7FB6D9AA0ED7@apple.com> <BB31C4AB95A70042A256109D461991260583956C@XCH117CNC.rim.net> <EA41A6C7-971C-4EC8-AA6F-96363B7FDC4C@gmail.com> <73E53F19-E0E7-4ADB-B765-ABAF0B4A6736@mnot.net> <r2f0g6d7bj770kg0db5ptr027ninmckns8@hive.bjoern.hoehrmann.de> <20C2FBB9-901F-4235-AF23-EC8262585905@mnot.net> <mgj0g6hseqb6j92au80f8d1ook058nb33m@hive.bjoern.hoehrmann.de> <25E88686-BE24-4EFD-8330-25916C891664@mnot.net> <AANLkTi=k0Czvm_pW=N3zPAGZdKyqZGduGJUp8dk3PByX@mail.gmail.com>
Date: Thu, 09 Dec 2010 00:54:37 -0600
Message-ID: <AANLkTik=aKo1+_-SGga=U8-jsTGAjy9exhNxH4beG2Ah@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Jack Moffitt <jack@collecta.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi HTTP <hybi@ietf.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 06:53:11 -0000

On Wed, Dec 8, 2010 at 10:10 PM, Jack Moffitt <jack@collecta.com> wrote:
> One path is to combine the separate port idea along with the encryption based approach.

Great argument! I think you nailed it.

Guys, please hear this out.

Because we can always achieve the highest success rate with WSS on
port 433, we can, and we shall,  completely drop the concern of
success rate from WS protocol design.

Success rate is a problem only in the early phase of WS adoption, and
even then majority of applications won't be affected, since their
target users are home users with simple networks.

Of course we must care about "serious" applications that strive to
reach every internet user, especially users behind corporate
firewalls. The good news is, there is *the* perfect solution --
WSS:433. These companies can certainly afford this solution. Actually
such applications probably shall use TLS anyway just for data privacy.

According to
http://www.ietf.org/mail-archive/web/hybi/current/msg05003.html
the success rate of TLS on 433 is about 95%. There is *nothing* WS can
do to beat that. Whichever trick we put in WS to improve success rate
will be in vain, because people who really care about success rate
must do WSS:433 anyway.

If we drop the concern of success rate from WS design, we gain a lot
of freedom. No more Upgrade or CONNECT, it's moot. Simply design a
brand new syntax that's completely independent of HTTP.

In the early phase of WS adoption, we will advise developers that
plain WS could have problems with some firewalls for some users. They
should measure *their* success rate against *their* user base. If the
success rate is unacceptable, they can always fall back on WSS:433.

WS clients should relax the rules of certificate validation. Don't
panic on self-signed certificates like current browsers do which
doesn't make any sense. If WSS with self-signed certificates are not
treated more badly than plain WS,  frugal application developers don't
need to spend any money to use WSS for the purpose of improving
success rate. WS server can even automate self-signed certificate so
that developers don't need to spend much time either.

If WS and HTTP syntax are completely different, it is still not a
problem for them to share port(if so desired), as long as WS traffic
has some magic text at the start. Web servers must be modified if they
want to handle WS, that is to be expected. WS and HTTP are so
different in modes of operation, it's unrealistic to require that WS
can be implemented as a module to an existing HTTP server, without
touching the HTTP server itself. If we drop the HTTP head from WS, it
will only reduce overall work for server implementors.

There are other server side components that also have to be upgraded
to handle WS. We should not be too sympathetic to them. We got enough
problems already, server side inconvenience should have the lowest
priority. Separation of WS and HTTP will be more beneficial to the
server side people. Mixing WS and HTTP will become a perpetual source
of trouble.

- Zhong Yu

On Wed, Dec 8, 2010 at 10:10 PM, Jack Moffitt <jack@collecta.com> wrote:
> One path is to combine the separate port idea along with the
> encryption based approach. On the WebSocket port, you could avoid all
> the intermediary issues, but perhaps be limited by firewalls.
> However, you would not need any obfuscation and could easily use
> sendfile().  On the TLS port you use NPN to get a WebSocket that is
> not going to cause security problems with intermediaries.
>
> For the short term, we get WebSocket on the port with the highest
> success rate, and in the long term, we have firewalls accepting the
> new port as killer applications make people care.
>
> If we're going to lose the sendfile(), why not go the rest of the way?
> Or is there something I'm missing in the port 80 but just XORed case?
>
> jack.
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email