IETF Logo Mail Archive

Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

Scott Ferguson <ferg@caucho.com> Sun, 28 November 2010 05:59 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EBC4D3A6816 for <hybi@core3.amsl.com>; Sat, 27 Nov 2010 21:59:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[AWL=2.045, BAYES_00=-2.599, GB_I_LETTER=-2, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tp93QDZKNE4Z for <hybi@core3.amsl.com>; Sat, 27 Nov 2010 21:59:21 -0800 (PST)
Received: from nm22-vm0.bullet.mail.sp2.yahoo.com (nm22-vm0.bullet.mail.sp2.yahoo.com [98.139.91.222]) by core3.amsl.com (Postfix) with SMTP id C858D3A67FB for <hybi@ietf.org>; Sat, 27 Nov 2010 21:59:21 -0800 (PST)
Received: from [98.139.91.69] by nm22.bullet.mail.sp2.yahoo.com with NNFMP; 28 Nov 2010 06:00:26 -0000
Received: from [98.139.91.2] by tm9.bullet.mail.sp2.yahoo.com with NNFMP; 28 Nov 2010 06:00:26 -0000
Received: from [127.0.0.1] by omp1002.mail.sp2.yahoo.com with NNFMP; 28 Nov 2010 06:00:26 -0000
X-Yahoo-Newman-Id: 173189.55689.bm@omp1002.mail.sp2.yahoo.com
Received: (qmail 17677 invoked from network); 28 Nov 2010 06:00:26 -0000
Received: from scott-fergusons-macbook-pro-3.local (ferg@71.141.226.40 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 27 Nov 2010 22:00:25 -0800 PST
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: qudr0F8VM1lcqv2VyVSgF36hAIjwg1gMf1DbRMggHBczgwU .reCu_uCSlK8T0v7KkVQz79jClHjXk84KtWjyXnZ70FLfWrz1eSsnxWMMpV6 qcmv5UOzAC.Oxxww6i5qicVLuTJ7_oW.v99o40Z2a1WA5IlpIjz1GRvJzCG0 brHblxS.ENnYSQpXpLtDPCc.ogdB7lhWLF90cknz_62uU8_laNlsfQ1TDEFE 8YPthL84oH70Jmerhghsua9iXM1MLtBVs171A.nuX.zPnIbeT0GBTmSnIY4E BHcENV8wg8qwbTxIIMit1cn0Mkw--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CF1EFF9.7040803@caucho.com>
Date: Sat, 27 Nov 2010 22:00:25 -0800
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: ifette@google.com
References: <AANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com> <AANLkTimSu1fOGCg0gqX2EFh4v-MkpZuY_-onm3+TO_Z0@mail.gmail.com> <AANLkTimYpdp-75BQSmhAUfyrQv19LvzF1ouznst+ANUG@mail.gmail.com> <AANLkTikbycTS51Ein9ybbZ52zcrViFCNBjCmpRGD3yCk@mail.gmail.com> <AANLkTim=_Ey_7tSJ0H8OKzip-UcwtJ=YMG5wf_f_qnty@mail.gmail.com> <20101127071644.GB26428@1wt.eu> <AANLkTi=Rqu-hm=Jy-GFf706smD8zEHbeD-oP7dNCN6Ro@mail.gmail.com> <20101127161638.GE26428@1wt.eu> <AANLkTi=snwcb8F89KjpD8tQUYSSBr6YF1OdaGgr1e9Xa@mail.gmail.com> <AANLkTi=2M1ubEgR44PL7JpydkaZaOwwimuvhJq=E30+A@mail.gmail.com>
In-Reply-To: <AANLkTi=2M1ubEgR44PL7JpydkaZaOwwimuvhJq=E30+A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Nov 2010 05:59:23 -0000

Ian Fette (イアンフェッティ) wrote:
> On Sat, Nov 27, 2010 at 8:24 AM, Adam Barth <ietf@adambarth.com 
> <mailto:ietf@adambarth.com>> wrote:
>
>     On Sat, Nov 27, 2010 at 8:16 AM, Willy Tarreau <w@1wt.eu
>     <mailto:w@1wt.eu>> wrote:
>     > On Sat, Nov 27, 2010 at 07:51:17AM -0800, Eric Rescorla wrote:
>     >> What's the argument *for* having an insecure handshake?
>     >
>     > There's no argument *for* having an insecure handshake, there
>     are arguments
>     > for having a safe HTTP-compliant handshake.
>
>     The handshake we're proposing is both safe and HTTP compliant.
>
>     Kind regards,
>     Adam
>
>
> I really appreciate all the work you and others have done with this 
> paper. I have a few questions I'd like to ask if you wouldn't mind.
>
> #1, if we changed the non-bogus Host header to be the real host, do 
> you believe that would have any substantial negative impact?
> #2 Is there anything else that is in the handshake proposal that is 
> perhaps HTTP compliant by the letter but not the spirit? (Other than 
> CONNECT vs UPGRADE -- I think you've made that case.)
>
> I personally don't care strongly enough about the above to call them a 
> requirement, but a number of people on this list have raised the HTTP 
> compat issue so I would like to better understand what that would 
> imply with the proposal this paper suggests the group move forward with.

The change of the CONNECT URI to the known host "websocket.invalid" 
makes a difference, because a server can dispatch the known 
"websocket.invalid" host to a websocket handler. (The earlier scrambling 
of the URI was unworkable.)

In other words, there's a difference between a well-known 
"websocket.invalid" host and a bogus host. A truly bogus host would be a 
problem (and wouldn't be HTTP in any meaningful way).

That's from the end-server perspective. I don't know about proxies, 
although I'd think a websocket-aware proxy could unpack the embedded URL 
and forward based on it.

-- Scott



>
> -Ian 
> ------------------------------------------------------------------------
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email