Re: [hybi] Why not just use ssh?

Willy Tarreau <w@1wt.eu> Wed, 01 September 2010 21:46 UTC

Date: Wed, 01 Sep 2010 23:47:17 +0200
From: Willy Tarreau <w@1wt.eu>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20100901214717.GC10275@1wt.eu>
References: <d48398080b610405d982ffd924f58e27.squirrel@sm.webmail.pair.com> <AANLkTin8CiHFoOSFdcRPern5YY-FdODC4GST+BrP3t_j@mail.gmail.com> <AANLkTi=fn2JE7a0b_0KFFLwq3eG_-xnaRazXAMPGi0N3@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBCBD@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTinE1MB10nUhpnU-SC+aLjPmFyu3NhjLC1-wMmW7@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBEF4@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTim5Wsfohbn2S0jpm6CDkq+xFcpzDTRWJ0YXWbcg@mail.gmail.com> <20100901211959.GA10275@1wt.eu> <AANLkTik2ggyrTQG5hExX3f2K+Ly1R_A9yM6fZEUawsz-@mail.gmail.com> <AANLkTinwSB3q-H=TL-yXKiAmeDbSCB9dBxuERzB6h39B@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTinwSB3q-H=TL-yXKiAmeDbSCB9dBxuERzB6h39B@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Why not just use ssh?
Precedence: list

On Wed, Sep 01, 2010 at 02:40:23PM -0700, Eric Rescorla wrote:
> On Wed, Sep 1, 2010 at 2:28 PM, Adam Barth <ietf@adambarth.com> wrote:
> 
> > On Wed, Sep 1, 2010 at 2:19 PM, Willy Tarreau <w@1wt.eu> wrote:
> > > Also, I don't see why TLS could not be used on top of HTTP as is proposed
> > > by 2817. This has the advantage of HTTP being easy to handle with
> > existing
> > > infrastructure and offers the better protection of TLS.
> >
> > RFC 2817 is a joke and, as I understand things, about to be moved to
> > historic.
> 
> 
> I don't know about historic or not, but the Upgrade part of HTTP is
> basically irrelevant
> to the Web. Everyone uses 2818. The CONNECT part is still relevant.

Well, FWIW, in january I suggested to use CONNECT instead of Upgrade
(because CONNECT is more common) but there were objections due to the
fact that CONNECT is only used with proxies right now, and it would
*possibly* be dangerous to send that to servers that can sometimes act
as proxies. In fact in my opinion, CONNECT is exactly equivalent to
an Upgrade, in that it establishes a bidirectionnal connection between
the client and the other side, and nothing prevents the "other side"
from being the server itself. Still that would not change anything
WRT the cross-protocol attacks. It could even be worse, because while
upgrade-aware servers are the only one which can respond 101, any
stupid server which does not check the method might respond 200 to
a CONNECT.

Willy

Re: [hybi] Why not just use ssh? Shelby Moore
Re: [hybi] Why not just use ssh? Shelby Moore
Re: [hybi] Why not just use ssh? Eric Rescorla
Re: [hybi] Why not just use ssh? Adam Barth
Re: [hybi] Why not just use ssh? Gabriel Montenegro
Re: [hybi] Why not just use ssh? Adam Barth
Re: [hybi] Why not just use ssh? Eric Rescorla
Re: [hybi] Why not just use ssh? John Tamplin
Re: [hybi] Why not just use ssh? Willy Tarreau
Re: [hybi] Why not just use ssh? Adam Barth
Re: [hybi] Why not just use ssh? Eric Rescorla
Re: [hybi] Why not just use ssh? John Tamplin
Re: [hybi] Why not just use ssh? Eric Rescorla
Re: [hybi] Why not just use ssh? Gabriel Montenegro
Re: [hybi] Why not just use ssh? Adam Barth
Re: [hybi] Why not just use ssh? Willy Tarreau
Re: [hybi] Why not just use ssh? Adam Barth
Re: [hybi] Why not just use ssh? Eric Rescorla
Re: [hybi] Why not just use ssh? Willy Tarreau
Re: [hybi] Why not just use ssh? Willy Tarreau
Re: [hybi] Why not just use ssh? Gabriel Montenegro
Re: [hybi] Why not just use ssh? Shelby Moore