Re: [hybi] deflate-stream and masking
Bruce Atherton <bruce@callenish.com> Tue, 21 June 2011 21:41 UTC
Return-Path: <bruce@callenish.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EF1811E80CA for <hybi@ietfa.amsl.com>; Tue, 21 Jun 2011 14:41:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Pw1z12r6-QD for <hybi@ietfa.amsl.com>; Tue, 21 Jun 2011 14:41:30 -0700 (PDT)
Received: from biz82.inmotionhosting.com (biz82.inmotionhosting.com [173.247.251.126]) by ietfa.amsl.com (Postfix) with ESMTP id 4936F11E80B7 for <hybi@ietf.org>; Tue, 21 Jun 2011 14:41:30 -0700 (PDT)
Received: from [24.108.133.142] (helo=[192.168.145.100]) by biz82.inmotionhosting.com with esmtpa (Exim 4.69) (envelope-from <bruce@callenish.com>) id 1QZ8hM-0004Gn-UD; Tue, 21 Jun 2011 14:41:28 -0700
Message-ID: <4E010FF9.1000207@callenish.com>
Date: Tue, 21 Jun 2011 14:41:13 -0700
From: Bruce Atherton <bruce@callenish.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Greg Wilkins <gregw@intalio.com>
References: <BANLkTi=UVMAd1nER6mRBe7zoD29CSbCkGA@mail.gmail.com>
In-Reply-To: <BANLkTi=UVMAd1nER6mRBe7zoD29CSbCkGA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - biz82.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - callenish.com
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] deflate-stream and masking
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2011 21:41:32 -0000
Although I agree with you that deflate-stream is a bad idea and recognize that the decision to include it was made before it had been determined that masking applies only to payload data (so deflate-stream has to be done on masked data), I think it might be difficult to get agreement to remove it as a known extension in the spec at this point. But just because it is a known extension does not mean it needs to be implemented. My suggestion is that everyone that thinks it is a bad idea should remove deflate-stream from their implementations and add in deflate-frame. So long as deflate-frame is available I don't imagine there will be a groundswell of consumer desire for the far less useful deflate-stream. On 19/06/2011 11:33 PM, Greg Wilkins wrote: > As part of my continuing campaign against including deflate-stream in > the specification as a standard extension, I did a quick test of how > well it works when applied to masked frames. > > I took a days worth of traffic from an IRC channel and wrapped it up > as JSON messages sent as websocket frames. > There were 487 message that looked like: > > {channel:"#webtide", username:"tbecker", text:"joakime: jenkins > had issues pulling from github a couple of times last week"} > > As an unmasked WS stream, it was 50675 bytes, and as a masked stream > is was 52623 bytes. > I then compressed both these streams with gzip and got 13306 bytes for > unmasked and 51704 bytes for the masked!!!! > > So for this very typical example, masking was sufficiently random to > completely negate the benefits of compression. > > So the deflate-stream "extension" is: > > + next to useless for inbound traffic > + breaks all the rules of what an extension can do > + is potentially vulnerable to injection as attackers can send > repeated patterns that may subvert masking > + can be replaced by the in-frame compression extension already proposed. > + was inserted in the draft with little or no discussion and without > clear consensus. > > Can I call for a straw poll of who wants to keep this extension in the spec? > > > > regards > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi
- [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Andy Green (林安廸)
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Andy Green (林安廸)
- Re: [hybi] deflate-stream and masking Dirkjan Ochtman
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Bob Gezelter
- Re: [hybi] deflate-stream and masking Arman Djusupov
- Re: [hybi] deflate-stream and masking Bruce Atherton
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Andy Green (林安廸)
- Re: [hybi] deflate-stream and masking Ian Fette (イアンフェッティ)
- Re: [hybi] deflate-stream and masking Andy Green (林安廸)
- Re: [hybi] deflate-stream and masking Bruce Atherton
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Brian
- Re: [hybi] deflate-stream and masking Arman Djusupov
- Re: [hybi] deflate-stream and masking Philipp Serafin
- [hybi] Fwd: Re: deflate-stream and masking Justin Lee
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking Alexander Philippou
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking Patrick McManus
- Re: [hybi] deflate-stream and masking Alexander Philippou
- Re: [hybi] deflate-stream and masking Peter Saint-Andre
- Re: [hybi] deflate-stream and masking Gabriel Montenegro
- Re: [hybi] deflate-stream and masking Patrick McManus
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking Willy Tarreau
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking Peter Saint-Andre
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Bjoern Hoehrmann
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Peter Saint-Andre