IETF Logo Mail Archive

Re: [hybi] deflate-stream and masking

"Arman Djusupov" <arman@noemax.com> Wed, 20 July 2011 11:00 UTC

Return-Path: <arman@noemax.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3656C21F89CC for <hybi@ietfa.amsl.com>; Wed, 20 Jul 2011 04:00:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nrvFhbC9+5pq for <hybi@ietfa.amsl.com>; Wed, 20 Jul 2011 04:00:28 -0700 (PDT)
Received: from mail.noemax.com (mail.noemax.com [64.34.201.8]) by ietfa.amsl.com (Postfix) with ESMTP id 8ADF021F89C1 for <hybi@ietf.org>; Wed, 20 Jul 2011 04:00:28 -0700 (PDT)
Received: from ArmanLaptop by mail.noemax.com (IceWarp 9.4.1) with ASMTP (SSL) id DSU96225; Wed, 20 Jul 2011 14:00:25 +0300
From: Arman Djusupov <arman@noemax.com>
To: 'Brian' <theturtle32@gmail.com>, 'Greg Wilkins' <gregw@intalio.com>
References: <BANLkTi=UVMAd1nER6mRBe7zoD29CSbCkGA@mail.gmail.com> <CAH_y2NFMdr1ZU2dfy9mCRepZc2R_hnzg0oa3kYPKhWY-FX_8Og@mail.gmail.com> <CAE8AN_V-P2L0mVwjPQYxAypJ67=QWKAhWnDqrM_XmDQXjJbEHA@mail.gmail.com>
In-Reply-To: <CAE8AN_V-P2L0mVwjPQYxAypJ67=QWKAhWnDqrM_XmDQXjJbEHA@mail.gmail.com>
Date: Wed, 20 Jul 2011 13:58:56 +0300
Message-ID: <002701cc46cc$0a04c820$1e0e5860$@noemax.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0028_01CC46E5.2F558290"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJtbZIPsxx6nk+v9a54Z7d+SmDrRQIQLZCuAX2yFPuTlkytUA==
Content-Language: en-us
Cc: 'Hybi' <hybi@ietf.org>
Subject: Re: [hybi] deflate-stream and masking
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2011 11:00:31 -0000

> +500.  deflate-stream has always been utterly ridiculous in light of
masking. 

 

Actually when the frame is relatively large, deflate-stream compression does
reduce the size of the payload. For example one of my tests involved sending
a 2MB XML file as a single masked frame which resulted in 90% compression
(i.e. transferred size was a tenth of the original file). So the
"deflate-stream" extension  is not completely useless, it's just very
situational.

 

> Brian

 

With best regards,

Arman

 

 

From: hybi-bounces@ietf.org [mailto:hybi-bounces@ietf.org] On Behalf Of
Brian
Sent: Wednesday, July 20, 2011 12:50 PM
To: Greg Wilkins
Cc: Hybi
Subject: Re: [hybi] deflate-stream and masking

 

+500.  deflate-stream has always been utterly ridiculous in light of
masking.  It really should get the axe, and with extreme prejudice.  Why is
it still in the spec?  I don't recall anyone citing a reasonable reason for
keeping it, but there have been many very good arguments against it.  It's
not even very clearly specified in the document -- when I implemented it in
my Flash client, I had to read the source code of Andy Green's
implementation to figure out how it was supposed to work -- his
implementation became my specification for the extension.

 

Brian

 

On Tue, Jul 19, 2011 at 7:34 PM, Greg Wilkins <gregw@intalio.com> wrote:

I've just noticed that the w3c is currently intending to make support
for deflate-stream mandatory!

 http://www.w3.org/Bugs/Public/show_bug.cgi?id=12917

This moves this extension from being useless, but mostly harmless, to
being a major impost on servers and intermediaries.
If the browser make this mandatory, then servers will obviously have
to support it at a cost of extra CPU, extra buffers but for no
significant savings in bandwidth.
Intermediaries that wish to act on frame boundaries will also have to
implement it.

This illustrate that having silly options always puts you at risk of
people taking you up on those options.

This extension is demonstrably broken and needs to be either fixed or
removed.

regards




On 20 June 2011 16:33, Greg Wilkins <gregw@intalio.com> wrote:
> As part of my continuing campaign against including deflate-stream in
> the specification as a standard extension, I did a quick test of how
> well it works when applied to masked frames.
>
> I took a days worth of traffic from an IRC channel and wrapped it up
> as JSON messages sent as websocket frames.
> There were 487 message that looked like:
>
>     {channel:"#webtide", username:"tbecker", text:"joakime: jenkins
> had issues pulling from github a couple of times  last week"}
>
> As an unmasked WS stream, it was 50675 bytes, and as a masked stream
> is was 52623 bytes.
> I then compressed both these streams with gzip and got 13306 bytes for
> unmasked and 51704 bytes for the masked!!!!
>
> So for this very typical example, masking was sufficiently random to
> completely negate the benefits of compression.
>
> So the deflate-stream "extension" is:
>
>  + next to useless for inbound traffic
>  + breaks all the rules of what an extension can do
>  + is potentially vulnerable to injection as attackers can send
> repeated patterns that may subvert masking
>  + can be replaced by the in-frame compression extension already proposed.
>  + was inserted in the draft with little or no discussion and without
> clear consensus.
>
> Can I call for a straw poll of who wants to keep this extension in the
spec?
>
>
>
> regards
>
_______________________________________________
hybi mailing list
hybi@ietf.org
https://www.ietf.org/mailman/listinfo/hybi

v2.23.0 | Report a Bug | By Email