IETF Logo Mail Archive

Re: [hybi] Moving to a CONNECT-based handshake

Maciej Stachowiak <mjs@apple.com> Wed, 01 December 2010 07:25 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCA363A6CEE for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 23:25:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fDBXNidEHEOJ for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 23:25:21 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 7BE1928C104 for <hybi@ietf.org>; Tue, 30 Nov 2010 23:25:21 -0800 (PST)
Received: from relay16.apple.com (relay16.apple.com [17.128.113.55]) by mail-out4.apple.com (Postfix) with ESMTP id 23CB2C0F57FD for <hybi@ietf.org>; Tue, 30 Nov 2010 23:26:08 -0800 (PST)
X-AuditID: 11807137-b7bf5ae000001937-fa-4cf5f88f89fd
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay16.apple.com (Apple SCV relay) with SMTP id 36.98.06455.F88F5FC4; Tue, 30 Nov 2010 23:26:08 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_z36tvYFLNT++3X8Ud4Qk7g)"
Received: from [10.0.1.14] ([24.6.209.6]) by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LCQ00MP9NBJBJ10@gertie.apple.com> for hybi@ietf.org; Tue, 30 Nov 2010 23:26:07 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <AANLkTikG0Y1GfuqBAsk=2U2k4FHN7LuztKOwWJ9bLnO9@mail.gmail.com>
Date: Tue, 30 Nov 2010 23:26:07 -0800
Message-id: <91FD4B44-386D-4452-AAE0-2076D82D4781@apple.com>
References: <op.vmzqkhszidj3kv@simon-pieterss-macbook.local> <4CF52558.9010100@gmx.de> <4CF529FF.9080708@opera.com> <BB31C4AB95A70042A256109D4619912605790150@XCH117CNC.rim.net> <AANLkTimzTvtho0m9HZSe6exgSwZxbCnxtmeJd2-G0aSK@mail.gmail.com> <BB31C4AB95A70042A256109D4619912605790178@XCH117CNC.rim.net> <BB31C4AB95A70042A256109D4619912605790190@XCH117CNC.rim.net> <AANLkTimQJz22RtoVnB16C8Mi4C8=QKB946wSR9BRsP85@mail.gmail.com> <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com> <0FB073DB-9435-4DD6-8E7C-CD04DE75A104@webex.co> <AANLkTi=u_1j8tHUaL5V_xmuCWvxZUw3a=Yof5ySjHemj@mail.gmail.com> <AANLkTikG0Y1GfuqBAsk=2U2k4FHN7LuztKOwWJ9bLnO9@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
X-Mailer: Apple Mail (2.1082)
X-Brightmail-Tracker: AAAAAA==
Cc: Joe Hildebrand <Joe.Hildebrand@webex.com>, hybi@ietf.org
Subject: Re: [hybi] Moving to a CONNECT-based handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 07:25:23 -0000

On Nov 30, 2010, at 9:42 PM, Greg Wilkins wrote:

> 
> 
> On 30 November 2010 19:52, John Tamplin <jat@google.com> wrote:
> On Tue, Nov 30, 2010 at 2:42 PM, Joe Hildebrand
> <Joe.Hildebrand@webex.com> wrote:
> > That's been suggested in the past, and likely won't get us to consensus
> > quicker.
> 
> In the past, we didn't have a demonstrated attack on the Upgrade
> handshake, which is why I thought it might be worth bringing up.
> 
> 
> We still don't have a demonstrated attack on the Upgrade handshake.
> We have a demonstrated attack on something a little bit like the Upgrade handshake, but is essentially just sening two HTTP requests in a row, the first with upgrade headers and then being amazed that some intermediaries that ignore upgrade are seeing the second HTTP request.

I think the experiment demonstrates that the Upgrade handshake itself doesn't protect against this transparent proxy attack at all. This leaves framing as the only possible remaining defense, which is rather weak. I would count this as a demonstrated exploit.

> 
> I really do not like how this discussion is being conducted, as two many concerns are being mixed together.
> 
> It may well be that CONNECT is better than Upgrade, but that does not mean that we should be sending bogus host information. 
> 
> It may well be that encrypting host information is necessary, but that does not mean that we need to use CONNECT.
> 
> The two proposals should be considered separately.  We got into this handshake mess in the first place by "accepting" a bunch of changes as a batch when we only had concensus on a few aspects.

It's clear that the combination of the two proposals is safer than using neither. It may be that using only one is sufficient, but no one has given strong evidence that this is so.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email