Re: [hybi] Moving to a CONNECT-based handshake
Willy Tarreau <w@1wt.eu> Wed, 01 December 2010 21:29 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A9D953A67C2 for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 13:29:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.124
X-Spam-Level:
X-Spam-Status: No, score=-2.124 tagged_above=-999 required=5 tests=[AWL=-0.081, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tibPGl+WhWbB for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 13:29:10 -0800 (PST)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id BADBC3A67DA for <hybi@ietf.org>; Wed, 1 Dec 2010 13:29:02 -0800 (PST)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id oB1LU2gk022105; Wed, 1 Dec 2010 22:30:02 +0100
Date: Wed, 01 Dec 2010 22:30:02 +0100
From: Willy Tarreau <w@1wt.eu>
To: "Roy T. Fielding" <fielding@gbiv.com>
Message-ID: <20101201213002.GN19021@1wt.eu>
References: <4CF52558.9010100@gmx.de> <4CF529FF.9080708@opera.com> <BB31C4AB95A70042A256109D4619912605790150@XCH117CNC.rim.net> <AANLkTimzTvtho0m9HZSe6exgSwZxbCnxtmeJd2-G0aSK@mail.gmail.com> <BB31C4AB95A70042A256109D4619912605790178@XCH117CNC.rim.net> <BB31C4AB95A70042A256109D4619912605790190@XCH117CNC.rim.net> <AANLkTimQJz22RtoVnB16C8Mi4C8=QKB946wSR9BRsP85@mail.gmail.com> <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com> <AANLkTimPj6Xpqfm2k_VLeF=7M7s57yhsq67o4frKrK7L@mail.gmail.com> <780F99F1-00F7-4E4A-A29F-9C94F66ADD13@gbiv.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <780F99F1-00F7-4E4A-A29F-9C94F66ADD13@gbiv.com>
User-Agent: Mutt/1.4.2.3i
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Moving to a CONNECT-based handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 21:29:26 -0000
On Wed, Dec 01, 2010 at 12:21:46PM -0800, Roy T. Fielding wrote: > b) obfuscate the data sent via websockets in some way that the client > page cannot control or deceive. [e.g., encryption, gzip with a fixed > dictionary, or escaping LF in data.] > > c) establish post-handshake framing that prevents subsequent data > from being interpreted as an HTTP request or response. > [e.g., inserting a 'W' after every LF in data.] That's why Greg and I keep saying that the framing definitely has an impact on the whole thing and the handshake does not have to cover everything by itself (which was proven by Adam's experiments BTW : handshake without WS data can fool some proxies). In my opinion, if we can have a framing that never sends an LF (or even neither a CR nor an LF), there is no way a WebSocket request or response can be misinterpreted as HTTP. And doing that is not necessarily difficult. We could think about escaping them or also to work on 7-bit with one bit always set (eg: bit7==1). I still find it better to make the protocol safe by design than to try to escape some known gray areas with some paint, and I'm still convinced that the framing has a much more important role to play here than the handshake considering that we want to ensure a buggy intermediary will not accidentely take the data for an HTTP request. > Note that none of the above has anything to do with Upgrade or the method used > in the initial exchange. Labeling the paper as discovering a vulnerability in > the Upgrade handshake is misleading and unethical. > > Adam's solution (and EKR's usual hammer) is to use TLS encryption. That is > fine when it satisfies the protocol use cases, but not so great when it > doesn't. To be honnest, at one point I wondered whether the goal of the paper wasn't to get everyone reject it so that we can conclude that HTTP was not usable and that TLS was the only remaining solution :-/ The sad part is that if we had finished the work on the HTTP handshake earlier without agitating that many strawmen, we could already be working on a TLS variant ! > A more sensible test would have been to use a new method, like WEBSOCKET, > since then at least the initial handshake could remain HTTP-compliant. It has already been explored, but it happens that stupid proxies have no reason to make a difference between that an a GET, so if they can fail on a GET, they can fail on a new method. The point beind the CONNECT is that it's already a known method with known semantics, eventhough it also has its share of issues. Alternatively, "OPTIONS *" is also well-defined and may have less risks of being mis-routed by quick-n-dirty proxies. > BTW2, "transparent proxy" != "intercept proxy". A proxy is called transparent > when it doesn't transform the messages exchanged, unlike intercepts (which > aren't even true proxies since they are unknown to the client). Please use > the correct terminology. I see varying terminologies for that, and I think that it's been caused by the combined used of such proxies with traffic interception. It's common to call such proxies "transparent" when they're not declared by the user, as they're transparent to the user. Thus they act as intercepting proxies. I often call them reverse-proxies, which is well understood on the server side but much less on the client side! However I tend to prefer the wording "gateway" from the HTTP spec is better because it does not preclude one specific usage. But when explained to network people it creates confusion... Regards, Willy
- [hybi] Moving to a CONNECT-based handshake Simon Pieters
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake James Graham
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Anne van Kesteren
- Re: [hybi] Moving to a CONNECT-based handshake Anne van Kesteren
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Scott Ferguson
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Joe Hildebrand
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Pat McManus @Mozilla
- Re: [hybi] Moving to a CONNECT-based handshake Greg Wilkins
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Jamie Lokier
- Re: [hybi] Moving to a CONNECT-based handshake Greg Wilkins
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Roy T. Fielding
- Re: [hybi] Moving to a CONNECT-based handshake Adam Barth
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Roy T. Fielding
- Re: [hybi] Moving to a CONNECT-based handshake Adam Barth
- Re: [hybi] Moving to a CONNECT-based handshake Bjoern Hoehrmann