IETF Logo Mail Archive

Re: [hybi] Moving to a CONNECT-based handshake

Julian Reschke <julian.reschke@gmx.de> Wed, 01 December 2010 11:50 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1EA583A6BC0 for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 03:50:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.935
X-Spam-Level:
X-Spam-Status: No, score=-104.935 tagged_above=-999 required=5 tests=[AWL=-2.336, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPT1w4Mv+b5t for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 03:50:48 -0800 (PST)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id B01383A6B3F for <hybi@ietf.org>; Wed, 1 Dec 2010 03:50:47 -0800 (PST)
Received: (qmail invoked by alias); 01 Dec 2010 11:51:59 -0000
Received: from mail.greenbytes.de (EHLO [192.168.1.133]) [217.91.35.233] by mail.gmx.net (mp008) with SMTP; 01 Dec 2010 12:51:59 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX19H4HMQirdHLC8iOBCfqqXR2p9icJmZA41BEm0exV /Klbafus6N+O7B
Message-ID: <4CF636D8.2050304@gmx.de>
Date: Wed, 01 Dec 2010 12:51:52 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: Maciej Stachowiak <mjs@apple.com>
References: <op.vmzqkhszidj3kv@simon-pieterss-macbook.local> <4CF52558.9010100@gmx.de> <4CF529FF.9080708@opera.com> <BB31C4AB95A70042A256109D4619912605790150@XCH117CNC.rim.net> <AANLkTimzTvtho0m9HZSe6exgSwZxbCnxtmeJd2-G0aSK@mail.gmail.com> <BB31C4AB95A70042A256109D4619912605790178@XCH117CNC.rim.net> <BB31C4AB95A70042A256109D4619912605790190@XCH117CNC.rim.net> <AANLkTimQJz22RtoVnB16C8Mi4C8=QKB946wSR9BRsP85@mail.gmail.com> <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com> <0FB073DB-9435-4DD6-8E7C-CD04DE75A104@webex.co> <AANLkTi=u_1j8tHUaL5V_xmuCWvxZUw3a=Yof5ySjHemj@mail.gmail.com> <AANLkTikG0Y1GfuqBAsk=2U2k4FHN7LuztKOwWJ9bLnO9@mail.gmail.com> <91FD4B44-386D-4452-AAE0-2076D82D4781@apple.com> <AANLkTi=dEkig+fKO+OJKhz2TkLFeGfFCu=6oGULA4jGw@mail.gmail.com> <CCA24994-EE8C-4880-A571-297B57A05FEA@apple.com> <4CF62A84.60203@gmx.de> <4DE54F88-D26A-4DCC-8CC5-5E0F6E8A3E43@apple.com>
In-Reply-To: <4DE54F88-D26A-4DCC-8CC5-5E0F6E8A3E43@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Joe Hildebrand <Joe.Hildebrand@webex.com>, hybi@ietf.org
Subject: Re: [hybi] Moving to a CONNECT-based handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 11:50:49 -0000

On 01.12.2010 12:39, Maciej Stachowiak wrote:
>
> On Dec 1, 2010, at 2:59 AM, Julian Reschke wrote:
>
>> On 01.12.2010 11:40, Maciej Stachowiak wrote:
>>> ...
>>> The longer we wait, the more chance that -00 will become the de facto standard.
>>> ...
>>
>> As far as I can tell, we have a draft that is stronger than -00, although maybe not perfect. Please use it.
>
> Do you mean -03 or Adam's handshake draft? -03 has the same handshake as -00 with the same security flaws. Adam's draft is indeed stronger, but it would be more polite to wait for WG consensus and not just implementor consensus on it, if possible.

It has the same (or a similar) handshake, but a different framing, so 
(as far as I understand), the vulnerability with respect to sending 
messages that might be mis-understood as HTTP is not present.

Best regards, Julian

v2.23.0 | Report a Bug | By Email