Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

[Adam Barth <ietf@adambarth.com>]

On Mon, Nov 29, 2010 at 10:23 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 27.11.2010 00:48, Adam Barth wrote:
>> David Huang, Eric Chen, Eric Rescorla, Collin Jackson, and I have been
>> experimenting with the security of the Upgrade-based and CONNECT-based
>> WebSocket handshakes.  Please find a paper detailing our findings at
>> this location:
>>
>> http://www.adambarth.com/experimental/websocket.pdf
>> ...
>
> Very interesting stuff.
>
> How about:
>
> 1) Installing a permanent test service which would allow people to check
> whether they have broken intermediaries in the path, and then

We did this for the DNS rebinding work, but it didn't turn out to be
that valuable.  These services have a lot of moving parts and tend to
break down if not actively maintained.  Generally, we haven't found
that folks have enough motivation to actively maintain these services,
which is why we write papers that describe the issues in enough detail
that other folks can reproduce our results independently.

> 2) Re-run the experiment again at a later point.

I'm not sure what the point of that would be, but if there's interest,
we might re-run the experiment in five years to see what happened.

> Also:
>
> 3) Stop shipping implementations of the so-called "76" protocol; we know,
> that the current version performs better because of the framing, right?

AFAIK, everyone who has shipped the 76 protocol has stated their
intention to upgrade to the final version of the protocol.  Hopefully
we'll be able to settle the handshake issue and finish up the spec
soon.

Adam