Re: [hybi] deflate-stream and masking
David Endicott <dendicott@gmail.com> Wed, 20 July 2011 18:10 UTC
Return-Path: <dendicott@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7E5121F8AE6 for <hybi@ietfa.amsl.com>; Wed, 20 Jul 2011 11:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSYiIZVXk6Zi for <hybi@ietfa.amsl.com>; Wed, 20 Jul 2011 11:10:03 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id A99E721F8AF5 for <hybi@ietf.org>; Wed, 20 Jul 2011 11:10:02 -0700 (PDT)
Received: by wyj26 with SMTP id 26so398382wyj.31 for <hybi@ietf.org>; Wed, 20 Jul 2011 11:09:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FMlZtZsElKU9/Pqtr6KTNhOtDzSNKNaogDi0oNrzttA=; b=S+ZxNbgCJw9d/WZd5J25WiKc1vxk7VSREU33zlNVk/waZ2NX5Avgh+0E2O2w7zQJe6 8jSmYpRlw7GSnzet+bBjoxmOTK2zv4r9z9xJY7q1aP4j2SO9TASYPAB8U5WsVq7KAyvK 66TQ66a/Y5E3ZNhSAURF7/ulUFtJKrsW1/DE0=
MIME-Version: 1.0
Received: by 10.216.1.200 with SMTP id 50mr957971wed.33.1311185378566; Wed, 20 Jul 2011 11:09:38 -0700 (PDT)
Received: by 10.216.39.197 with HTTP; Wed, 20 Jul 2011 11:09:38 -0700 (PDT)
In-Reply-To: <CAE8AN_V-P2L0mVwjPQYxAypJ67=QWKAhWnDqrM_XmDQXjJbEHA@mail.gmail.com>
References: <BANLkTi=UVMAd1nER6mRBe7zoD29CSbCkGA@mail.gmail.com> <CAH_y2NFMdr1ZU2dfy9mCRepZc2R_hnzg0oa3kYPKhWY-FX_8Og@mail.gmail.com> <CAE8AN_V-P2L0mVwjPQYxAypJ67=QWKAhWnDqrM_XmDQXjJbEHA@mail.gmail.com>
Date: Wed, 20 Jul 2011 14:09:38 -0400
Message-ID: <CAP992=HmZM9H2i+rFLVNrJVzfQT2qSPzWRm4gQXc2wTQ8fdBTA@mail.gmail.com>
From: David Endicott <dendicott@gmail.com>
To: Brian <theturtle32@gmail.com>
Content-Type: multipart/alternative; boundary="0016364d2c79b962c604a8842229"
Cc: Hybi <hybi@ietf.org>, Greg Wilkins <gregw@intalio.com>
Subject: Re: [hybi] deflate-stream and masking
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 18:10:04 -0000
Unlurking to agree. When it was optional it was avoidable and non-impairing. It should not be mandatory. +6.02 x10^23 votes for removal from specification (which when deflated is just +1, I believe) On Wed, Jul 20, 2011 at 5:50 AM, Brian <theturtle32@gmail.com> wrote: > +500. deflate-stream has always been utterly ridiculous in light of > masking. It really should get the axe, and with extreme prejudice. Why is > it still in the spec? I don't recall anyone citing a reasonable reason for > keeping it, but there have been many very good arguments against it. It's > not even very clearly specified in the document -- when I implemented it in > my Flash client, I had to read the source code of Andy Green's > implementation to figure out how it was supposed to work -- his > implementation became my specification for the extension. > > Brian > > > On Tue, Jul 19, 2011 at 7:34 PM, Greg Wilkins <gregw@intalio.com> wrote: > >> I've just noticed that the w3c is currently intending to make support >> for deflate-stream mandatory! >> >> http://www.w3.org/Bugs/Public/show_bug.cgi?id=12917 >> >> This moves this extension from being useless, but mostly harmless, to >> being a major impost on servers and intermediaries. >> If the browser make this mandatory, then servers will obviously have >> to support it at a cost of extra CPU, extra buffers but for no >> significant savings in bandwidth. >> Intermediaries that wish to act on frame boundaries will also have to >> implement it. >> >> This illustrate that having silly options always puts you at risk of >> people taking you up on those options. >> >> This extension is demonstrably broken and needs to be either fixed or >> removed. >> >> regards >> >> >> >> On 20 June 2011 16:33, Greg Wilkins <gregw@intalio.com> wrote: >> > As part of my continuing campaign against including deflate-stream in >> > the specification as a standard extension, I did a quick test of how >> > well it works when applied to masked frames. >> > >> > I took a days worth of traffic from an IRC channel and wrapped it up >> > as JSON messages sent as websocket frames. >> > There were 487 message that looked like: >> > >> > {channel:"#webtide", username:"tbecker", text:"joakime: jenkins >> > had issues pulling from github a couple of times last week"} >> > >> > As an unmasked WS stream, it was 50675 bytes, and as a masked stream >> > is was 52623 bytes. >> > I then compressed both these streams with gzip and got 13306 bytes for >> > unmasked and 51704 bytes for the masked!!!! >> > >> > So for this very typical example, masking was sufficiently random to >> > completely negate the benefits of compression. >> > >> > So the deflate-stream "extension" is: >> > >> > + next to useless for inbound traffic >> > + breaks all the rules of what an extension can do >> > + is potentially vulnerable to injection as attackers can send >> > repeated patterns that may subvert masking >> > + can be replaced by the in-frame compression extension already >> proposed. >> > + was inserted in the draft with little or no discussion and without >> > clear consensus. >> > >> > Can I call for a straw poll of who wants to keep this extension in the >> spec? >> > >> > >> > >> > regards >> > >> _______________________________________________ >> hybi mailing list >> hybi@ietf.org >> https://www.ietf.org/mailman/listinfo/hybi >> > > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi > >
- [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Andy Green (林安廸)
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Andy Green (林安廸)
- Re: [hybi] deflate-stream and masking Dirkjan Ochtman
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Bob Gezelter
- Re: [hybi] deflate-stream and masking Arman Djusupov
- Re: [hybi] deflate-stream and masking Bruce Atherton
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Andy Green (林安廸)
- Re: [hybi] deflate-stream and masking Ian Fette (イアンフェッティ)
- Re: [hybi] deflate-stream and masking Andy Green (林安廸)
- Re: [hybi] deflate-stream and masking Bruce Atherton
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Brian
- Re: [hybi] deflate-stream and masking Arman Djusupov
- Re: [hybi] deflate-stream and masking Philipp Serafin
- [hybi] Fwd: Re: deflate-stream and masking Justin Lee
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking Alexander Philippou
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking Patrick McManus
- Re: [hybi] deflate-stream and masking Alexander Philippou
- Re: [hybi] deflate-stream and masking Peter Saint-Andre
- Re: [hybi] deflate-stream and masking Gabriel Montenegro
- Re: [hybi] deflate-stream and masking Patrick McManus
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking Willy Tarreau
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking David Endicott
- Re: [hybi] deflate-stream and masking Peter Saint-Andre
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking John Tamplin
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Bjoern Hoehrmann
- Re: [hybi] deflate-stream and masking Greg Wilkins
- Re: [hybi] deflate-stream and masking Peter Saint-Andre