IETF Logo Mail Archive

Re: [hybi] On TLS-only Approaches

"Shelby Moore" <shelby@coolpage.com> Mon, 23 August 2010 13:20 UTC

Return-Path: <shelby@coolpage.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 066133A6A41 for <hybi@core3.amsl.com>; Mon, 23 Aug 2010 06:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[AWL=0.203, BAYES_00=-2.599, SARE_WEOFFER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39HNbTvaka+S for <hybi@core3.amsl.com>; Mon, 23 Aug 2010 06:20:34 -0700 (PDT)
Received: from www5.webmail.pair.com (www5.webmail.pair.com [66.39.3.83]) by core3.amsl.com (Postfix) with SMTP id 8B8683A6A35 for <hybi@ietf.org>; Mon, 23 Aug 2010 06:20:34 -0700 (PDT)
Received: (qmail 40019 invoked by uid 65534); 23 Aug 2010 13:21:07 -0000
Received: from 121.97.54.174 ([121.97.54.174]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Mon, 23 Aug 2010 09:21:07 -0400
Message-ID: <a75b81e107ad7dceeea10359625d8027.squirrel@sm.webmail.pair.com>
In-Reply-To: <EBFF1F9D-E200-47B9-A554-02AAECD9FEF7@mnot.net>
References: <AANLkTikJcbyEZ-Y0FOXni89L8Awa_UBmMMDvLgsOuoou@mail.gmail.com> <43E0DD8E-1D83-44D2-8D8B-5914A0FFFDFB@mnot.net> <A6CD606F-0908-415B-9589-76291C88134A@apple.com> <EBFF1F9D-E200-47B9-A554-02AAECD9FEF7@mnot.net>
Date: Mon, 23 Aug 2010 09:21:07 -0400
From: Shelby Moore <shelby@coolpage.com>
To: Mark Nottingham <mnot@mnot.net>
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Server-Initiated HTTP <hybi@ietf.org>
Subject: Re: [hybi] On TLS-only Approaches
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Aug 2010 13:20:36 -0000

>
> On 23/08/2010, at 2:03 PM, Maciej Stachowiak wrote:
>>
>> Do we have any past success stories along these lines? i.e. a new
>> protocol using a new port is developed, clients and servers start using
>> it despite the high rate of failure, and subsequently administrators
>> change their firewalls so that it commonly works.
>
> HTTP
> SIP
> ssh
> various forms of VPNs
>
> See also the contents of /etc/services on most Unix-like systems.


I read in this thread mostly bottom-up arguments about technology and very
little top-down game theory about what really matters.

Ultimately, success of anything depends on whether people need it, crave
it, want it, drool over it, and if there exists no other readily available
alternative which has less inertia against it.

We geeks need to remember that ultimately it is not about web services
developers, nor principles of technological perfection, it is about end
users:

http://www.ietf.org/mail-archive/web/hybi/current/msg03548.html

Tangential to my point above, if we want to enable the killer-application,
why are we refusing to enable 99% of the internet to use WebSockets:

http://www.ietf.org/mail-archive/web/hybi/current/msg03549.html

<truth-rant>And I am talking about the permutations of interconnections
that exist now, but are being wasted by we geeks who think we know
better.</truth-rant>

I see no reason that we can not support WebSockets over HTTP, HTTPS (TLS),
and also have a new port for WebSockets.

Why should we pick the winners and losers?  Let the market place decide. 
The more options we offer the market place, then the better chance we have
that our orthogonal effort on the WebSocket frames won't be wasted (i.e.
not maximized).



>
>
>> OK, let's try a game theoretic model. Here are some assumptions about
>> the three players:
>>
>> => The goal for browser vendors (Player B) is to provide features that
>> Web services developers want to use.
>>   => Corollary: Browser vendors are unlikely to ship features that
>> cannot or will not be used by Web service providers.
>>
>> => The goal for those deploying Web services (Player S) is to provide
>> the benefit to their users - preferably greater benefit to a greater
>> number of users.
>>   => Corollary: Deployers of Web services are often unwilling to use any
>> feature that lacks very wide reach to their audience, or is otherwise
>> unreliable.
>>
>> => The goal for network administrators (Player N) is to protect their
>> organization from unknown threats while at the same time enabling their
>> users to access sufficiently important services.
>>   => Corollary: Most network administrators will not allow access to
>> additional services
>>
>> Player B to move first. Player S to move second. I claim the optimal
>> move is to enable deployment over existing unblocked ports (which in
>> practice means 80 or 443). Can you give a game theoretic argument for
>> why "use a new port" is a better move? I think you have shown that it
>> might not be a complete failure, but I don't see how it improves
>> outcomes for Player S or Player B. It may be worse for Player N, but
>> it's not his move. With high probability, he won't respond with "block
>> all port 443 traffic".
>
>
> Why do you need to use TLS over port 443, if this is just about making the
> protocol more widely adoptable?
>
> Also, if it's as bleak as you paint it, how do you expect *any* of the new
> HTML5 features to get adoption? Never mind the network administrators --
> if "those deploying Web services" are so conservative, why would they use
> the video tag, etc?
>
> The answer to that (mostly) rhetorical question is the same as it is here;
> it's a gradual process; some Web sites will be more on the bleeding edge
> and either a) require their users to use relatively new browsers / "open"
> networks, or b) undertake fallback strategies for old browsers / closed
> ports. More conservative sites will follow later.
>
> AIUI in the various tests that have been undertaken, more than half of
> browsers *can* access services on new ports. Compared to deployed support
> for, say, the video tag, that's a great starting point.
>
> Finally, network administrators won't (often) block all port 443 traffic,
> but using it like this will encourage a market for devices that can
> intercept SSL/TLS. E.g.,
>   http://www.bluecoat.com/node/2644
>   https://www.microsoft.com/forefront/threat-management-gateway/en/us/features.aspx
>   http://wiki.squid-cache.org/Features/SslBump
>   http://www.collectivesoftware.com/Products/ClearTunnel
>
> Cheers,
>
> --
> Mark Nottingham     http://www.mnot.net/
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>
>

v2.23.0 | Report a Bug | By Email