Re: [hybi] Why not just use ssh?
Willy Tarreau <w@1wt.eu> Wed, 01 September 2010 21:46 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADCE63A69B4 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 14:46:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[AWL=-0.659, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57m6qBkT0QJ0 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 14:46:49 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 779D53A68F2 for <hybi@ietf.org>; Wed, 1 Sep 2010 14:46:48 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o81LlHL1010448; Wed, 1 Sep 2010 23:47:17 +0200
Date: Wed, 01 Sep 2010 23:47:17 +0200
From: Willy Tarreau <w@1wt.eu>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20100901214717.GC10275@1wt.eu>
References: <d48398080b610405d982ffd924f58e27.squirrel@sm.webmail.pair.com> <AANLkTin8CiHFoOSFdcRPern5YY-FdODC4GST+BrP3t_j@mail.gmail.com> <AANLkTi=fn2JE7a0b_0KFFLwq3eG_-xnaRazXAMPGi0N3@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBCBD@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTinE1MB10nUhpnU-SC+aLjPmFyu3NhjLC1-wMmW7@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFBEF4@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <AANLkTim5Wsfohbn2S0jpm6CDkq+xFcpzDTRWJ0YXWbcg@mail.gmail.com> <20100901211959.GA10275@1wt.eu> <AANLkTik2ggyrTQG5hExX3f2K+Ly1R_A9yM6fZEUawsz-@mail.gmail.com> <AANLkTinwSB3q-H=TL-yXKiAmeDbSCB9dBxuERzB6h39B@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTinwSB3q-H=TL-yXKiAmeDbSCB9dBxuERzB6h39B@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Why not just use ssh?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 21:46:49 -0000
On Wed, Sep 01, 2010 at 02:40:23PM -0700, Eric Rescorla wrote: > On Wed, Sep 1, 2010 at 2:28 PM, Adam Barth <ietf@adambarth.com> wrote: > > > On Wed, Sep 1, 2010 at 2:19 PM, Willy Tarreau <w@1wt.eu> wrote: > > > Also, I don't see why TLS could not be used on top of HTTP as is proposed > > > by 2817. This has the advantage of HTTP being easy to handle with > > existing > > > infrastructure and offers the better protection of TLS. > > > > RFC 2817 is a joke and, as I understand things, about to be moved to > > historic. > > > I don't know about historic or not, but the Upgrade part of HTTP is > basically irrelevant > to the Web. Everyone uses 2818. The CONNECT part is still relevant. Well, FWIW, in january I suggested to use CONNECT instead of Upgrade (because CONNECT is more common) but there were objections due to the fact that CONNECT is only used with proxies right now, and it would *possibly* be dangerous to send that to servers that can sometimes act as proxies. In fact in my opinion, CONNECT is exactly equivalent to an Upgrade, in that it establishes a bidirectionnal connection between the client and the other side, and nothing prevents the "other side" from being the server itself. Still that would not change anything WRT the cross-protocol attacks. It could even be worse, because while upgrade-aware servers are the only one which can respond 101, any stupid server which does not check the method might respond 200 to a CONNECT. Willy
- Re: [hybi] Why not just use ssh? Shelby Moore
- Re: [hybi] Why not just use ssh? Shelby Moore
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? John Tamplin
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? John Tamplin
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Shelby Moore