Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

Zhong Yu <zhong.j.yu@gmail.com> Wed, 01 December 2010 22:11 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 091B03A67E3 for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 14:11:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.779
X-Spam-Level:
X-Spam-Status: No, score=-2.779 tagged_above=-999 required=5 tests=[AWL=0.220, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czN5qUYZFBxD for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 14:11:09 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id 62CEA3A67DF for <hybi@ietf.org>; Wed, 1 Dec 2010 14:11:07 -0800 (PST)
Received: by qyk34 with SMTP id 34so3069439qyk.10 for <hybi@ietf.org>; Wed, 01 Dec 2010 14:12:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=flvq1tvNNin4I/cqLH7yWDHyRNQTw1NoIrFcNw6/GyI=; b=nWMbbS1a3K33nqOXGBfXkLimaB7MhUq/LjAJiYZvE/0uyH9gVfp3c73dexG7B0sZkk IWY6ixMO2TNkNRb3GInAABhZmOX2BXFikz7TOMVRP8T/fhg7zxcR30tdHtzn6TWhN6gI 06G6S5Vs+tyRjbamzZC8ctji97Qq7vlMsf/hc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=dgaZUTvysJa4RkzNExphUZKdzntRo6bjezGegq4u022a4v7FEY59lWpKV9e+70wLMS XgAWlfXkt2sepQ470LljzEXA6dP06+bG+RI8EQbwG2BXQXNwR5zq88U1iOEmcBdRBGi8 S5W+3XqF28FCI92hqOT3kEcmqf/GzBQNn0MhQ=
MIME-Version: 1.0
Received: by 10.224.10.196 with SMTP id q4mr1994191qaq.87.1291241541959; Wed, 01 Dec 2010 14:12:21 -0800 (PST)
Received: by 10.220.189.136 with HTTP; Wed, 1 Dec 2010 14:12:21 -0800 (PST)
In-Reply-To: <7163BB66-CBE9-4025-A229-FA6A5D0695AE@apple.com>
References: <AANLkTik0wR-Oag5YJJDmdiSy67WW6TMaHmqWEo4o5kGW@mail.gmail.com> <AANLkTimwEtKrJm5KxTYZ4wrtONBYDTGjE5LF7__AHBEU@mail.gmail.com> <20101201183540.GF19021@1wt.eu> <AANLkTi=r-is4ZqJc6itsaBkyrmW746xXj8OV78M_Qbi3@mail.gmail.com> <20101201184828.GH19021@1wt.eu> <AANLkTinLmAdKr3gOkk-k=TXPX-HhX0xea5r_AkgfM=cP@mail.gmail.com> <7163BB66-CBE9-4025-A229-FA6A5D0695AE@apple.com>
Date: Wed, 01 Dec 2010 16:12:21 -0600
Message-ID: <AANLkTinNB-Qh5bVTiJUjRJKg7Y5gO5dAURi-7H7EsbV7@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 22:11:12 -0000

If HTTP compliant is important, we cannot arbitrarily separate Method
from headers.

CONNECT with bogus Host is hardly HTTP compliant. A correctly
implemented end point should reject it. It's a flaw if it's accepted.
Should WebSocket be based on such flaws?

CONNECT with real Host seems to be OK. And Adam's experiments did NOT
reveal any security problems caused by a real Host header in the
handshake.

Does Roy have any problem with CONNECT + real Host being used for
WebSocket tunneling?

On Wed, Dec 1, 2010 at 3:47 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> On Dec 1, 2010, at 11:00 AM, Eric Rescorla wrote:
>
>
> On Wed, Dec 1, 2010 at 10:48 AM, Willy Tarreau <w@1wt.eu> wrote:
>>
>> On Wed, Dec 01, 2010 at 01:43:59PM -0500, John Tamplin wrote:
>> > AFAIK, the Hello frames do not appear in any draft and only in Greg's
>> > proposal.  Personally, I am not sure what exactly they buy us and I
>> > don't know if we want to pay the extra round trip for them.
>>
>> I'm sorry, I thought we had that in -03. At some point I'm getting lost
>> between proposals and drafts :-)
>>
>> > So, if we really want this to be incremental, it would be a change
>> > from Ian's last draft.
>>
>> That's what I wanted indeed.
>>
>> > As I understand it, these are the components of Adam's latest proposal:
>> >  1) use CONNECT instead of GET+Upgrade
>> >  2) use a fixed, bogus host header and mask the real headers
>> >  3) mask all payload data
>
> I thought that we already agreed on this point weeks ago.
>
> I think what's new now is that we are approaching consensus on adopting
> point (1).
> It sounds like we don't yet have consensus on (2) - people would rather
> adopt (1) first, and then examine it further.
> I don't recall the state of the discussion on (3). I think the new
> XOR-masking likely addresses the concerns with the original AES masking.
> Regards,
> Maciej
>