IETF Logo Mail Archive

Re: [hybi] Web sockets and existing HTTP stacks

Maciej Stachowiak <mjs@apple.com> Wed, 03 February 2010 08:22 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AEEF13A6A8B for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 00:22:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.42
X-Spam-Level:
X-Spam-Status: No, score=-106.42 tagged_above=-999 required=5 tests=[AWL=0.179, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dw-Cbor-sEI5 for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 00:22:43 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id EACB93A6A8A for <hybi@ietf.org>; Wed, 3 Feb 2010 00:22:43 -0800 (PST)
Received: from relay16.apple.com (relay16.apple.com [17.128.113.55]) by mail-out4.apple.com (Postfix) with ESMTP id A113F89E5478 for <hybi@ietf.org>; Wed, 3 Feb 2010 00:23:25 -0800 (PST)
X-AuditID: 11807137-b7bd4ae000000f0d-63-4b69327dcd46
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay16.apple.com (Apple SCV relay) with SMTP id B3.68.03853.D72396B4; Wed, 3 Feb 2010 00:23:25 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.86.222] by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KX900LL8BB0EJ80@elliott.apple.com> for hybi@ietf.org; Wed, 03 Feb 2010 00:23:25 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <4B692EDB.1060300@gmx.de>
Date: Wed, 03 Feb 2010 00:23:24 -0800
Message-id: <E9DF7FE9-70F0-4268-8CEF-1007D71F9FBB@apple.com>
References: <557ae280911171402v7546e5e7n93a1e57f87dc10e5@mail.gmail.com> <5c902b9e0912181640n497169cdrfa71f9a2908e6ef3@mail.gmail.com> <20091219005442.GA10949@shareable.org> <4B2C287E.1030006@webtide.com> <Pine.LNX.4.64.1001310835410.3846@ps20323.dreamhostps.com> <4B67A237.2040505@webtide.com> <ad99d8ce1002012139l3b8f525bj9caf7861332f3d18@mail.gmail.com> <1427E183-FDBC-4854-9455-B93AB28DAB03@apple.com> <ad99d8ce1002012343n132169f8wbaacc1cf4efe2f87@mail.gmail.com> <31123817-6D3F-489D-9F48-109AC93E6769@apple.com> <ad99d8ce1002030000i566f3517qddf4e62f386c9211@mail.gmail.com> <4B692EDB.1060300@gmx.de>
To: Julian Reschke <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: hybi@ietf.org
Subject: Re: [hybi] Web sockets and existing HTTP stacks
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 08:22:44 -0000

On Feb 3, 2010, at 12:07 AM, Julian Reschke wrote:

> Roberto Peon wrote:
>> On Tue, Feb 2, 2010 at 5:25 PM, Maciej Stachowiak <mjs@apple.com <mailto:mjs@apple.com>> wrote:
>>    On Feb 1, 2010, at 11:43 PM, Roberto Peon wrote:
>>>    Simple-- the proxy won't know that the response from the server is
>>>    websocket specific, and may reorder things.
>>>    You should not assume that the termination point (the "host") is a
>>>    server. It could be a reverse proxy. In such cases, the proxy
>>>    needs to treat the response as HTTP until it has been fully read
>>>    and interpreted.
>>> 
>>>    This response IS HTTP, so HTTP rules apply. It isn't a some random
>>>    more-restrictive subset of the response rules. It is still HTTP at
>>>    that point. That means that you don't get to add additional
>>>    restrictions on that request. If you do, then you're creating
>>>    headaches for everyone.
>>    OK, just to clarify, are you saying that it's specifically the
>>    constraint on header ordering that is a problem? I'm trying to
>>    figure out which specific requirements are problematic and why. For
>>    example, is the requirement to have some special text in the status
>>    line acceptable?
>> Having some required header ordering is a problem.
>> As for special text in the status line, I'd have to examine the spec again to be sure-- if proxies have the ability to drop the status text (the third part of the first line of the HTTP response, which I'm assuming we're talking about here), then it shouldn't be relied upon.
>> ...
> 
> I don't think HTTP specifies this. As Status-Phrase is just informational, I wouldn't surprised when it happened, or when it was rewritten. I'm pretty sure that there are server frameworks where it can't easily be set.

I am pretty sure a lot of popular servers do let modules/extensions/scripts running inside them set it, so I don't think this is a huge practical problem.

> 
> Anyway: if another line of defense is added (and that's how I understand Maciej's proposal), is there still a point to insist on the exact Status-Phrase?

According to a security expert I asked, the strongest defense against cross-protocol attacks is in the first few bytes. So I think removing all requirements on the status-phrase would make the protocol less robust against cross-protocol attacks.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email