IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Willy Tarreau <w@1wt.eu> Fri, 24 September 2010 04:41 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 038953A68EA for <hybi@core3.amsl.com>; Thu, 23 Sep 2010 21:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[AWL=-1.005, BAYES_00=-2.599, GB_ABOUTYOU=0.5, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ay0oADPo83o2 for <hybi@core3.amsl.com>; Thu, 23 Sep 2010 21:41:14 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 7B6583A68DF for <hybi@ietf.org>; Thu, 23 Sep 2010 21:41:14 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o8O4feSm027752; Fri, 24 Sep 2010 06:41:40 +0200
Date: Fri, 24 Sep 2010 06:41:40 +0200
From: Willy Tarreau <w@1wt.eu>
To: Greg Wilkins <gregw@webtide.com>
Message-ID: <20100924044140.GD25155@1wt.eu>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: hybi <hybi@ietf.org>, Alexander Voronin <alexander.voronin@gmail.com>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 04:41:18 -0000

Greg,

I agree with all your points about your proposal, except the one
below :

On Thu, Sep 23, 2010 at 12:06:14PM -0700, Greg Wilkins wrote:
> Thus I think the ping/pong proposal is as least as good as the current
> handshake in this regards.

Since the client does not expect a response, it can't know whether
the intermediaries are blocking or not, which means it might be trying
to send large amounts of data before detecting that they're blocked.
And some intermediaries will definitely block. But I think that with
adding a few headers in the response (CL:0 + Conn: close), we should
be able prevent such intermediaries from sending the server's ping to
the client and trick them into closing first, which might do the trick.

However, I find the principle of not sending anything until the server
speaks WS a good idea because it protects against cross-proto attacks
after the handshake. The inital part being HTTP, it performs no better
and no worse than HTTP.

So if we're going to make the handshake look like this, then our efforts
must go towards ensuring that intermediaries that are not able to forward
the client's poing won't forward the server's ping first.

Last point, if we do that, we must keep in mind that it should not be
directly reused for non-HTTP handshake openings. It's important for
firewalls, IDS, proxies, etc... to see what protocol the client speaks
before forwarding to the server, so it will have to be advertised first.

Regards,
Willy

v2.23.0 | Report a Bug | By Email