Re: [hybi] Redesigning the Web Socket handshake

Maciej Stachowiak <mjs@apple.com> Fri, 05 February 2010 11:52 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A26E3A6D3E for <hybi@core3.amsl.com>; Fri, 5 Feb 2010 03:52:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.591
X-Spam-Level:
X-Spam-Status: No, score=-106.591 tagged_above=-999 required=5 tests=[AWL=0.007, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X+N5Y89-bWF3 for <hybi@core3.amsl.com>; Fri, 5 Feb 2010 03:52:45 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 4B4933A6880 for <hybi@ietf.org>; Fri, 5 Feb 2010 03:52:45 -0800 (PST)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out4.apple.com (Postfix) with ESMTP id 6D5268A380E9 for <hybi@ietf.org>; Fri, 5 Feb 2010 03:53:35 -0800 (PST)
X-AuditID: 11807134-b7cd9ae000001002-c3-4b6c06bfb4d0
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay14.apple.com (Apple SCV relay) with SMTP id FE.36.04098.FB60C6B4; Fri, 5 Feb 2010 03:53:35 -0800 (PST)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_zl13W+n1xg87ZTlpDS7eMA)"
Received: from [10.0.1.5] (c-69-181-42-237.hsd1.ca.comcast.net [69.181.42.237]) by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KXD00I8MAD98900@elliott.apple.com> for hybi@ietf.org; Fri, 05 Feb 2010 03:53:34 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <A82FE113-B675-424A-9B35-737A7CB1A5BA@nokia.com>
Date: Fri, 05 Feb 2010 03:53:32 -0800
Message-id: <D9B3CE74-246F-436D-8452-0148355CD6E2@apple.com>
References: <Pine.LNX.4.64.1002012305000.21600@ps20323.dreamhostps.com> <4B6A98EE.9090006@it.aoyama.ac.jp> <A82FE113-B675-424A-9B35-737A7CB1A5BA@nokia.com>
To: Lars Eggert <lars.eggert@nokia.com>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Redesigning the Web Socket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2010 11:52:46 -0000

On Feb 5, 2010, at 12:23 AM, Lars Eggert wrote:

> Hi,
> 
> On 2010-2-4, at 11:52, Martin J. Dürst wrote:
>> On 2010/02/02 8:47, Ian Hickson wrote:
>> 
>>> * Using ports 81/815 instead of 80/443 would be ideal, but IANA said that
>>>  if we look like HTTP, we must use ports 80/443.
> 
> I'm trying to find out from IANA if this is really what the IANA Expert Reviewer said. There might have been a misunderstanding here.
> 
>> Well, the port space is pretty crowded these days. But IANA is not going 
>> to tell the *IETF* that they need the same ports as another protocol in 
>> case the IETF decides that it needs different ports. IANA's job 
>> description, for the protocol registries, is essentially: Register 
>> everything the IETF tells you, the way they tell you.
> 
> IANA assumes that requests coming through the IETF have been more carefully vetted than port requests that arrive from elsewhere, so there is no Expert Review for those, because the IETF process should have eliminated/corrected nonsensical requests before they hit IANA.
> 
>> So for the moment, please assume that if we (as an IETF WG, followed by 
>> IETF last call) decide that we need new ports, IANA will try their best 
>> to give us new ports. The exact number may be treated as a detail.
> 
> Yes.

Notwithstanding what IANA may say, sharing the standard HTTP and HTTPS ports is rather useful for getting through firewalls. Even if they were not the defaults, I bet a lot of people would manually choose 443 in particular. Given this, we really want to make the protocol look enough like HTTP that you can share that port on the same host between HTTP and WebSocket. If there was no need to look anything like HTTP, we could use a handshake that's much more secure n the face of cross-protocol attacks.

Regards,
Maciej