Re: [hybi] workability (or otherwise) of HTTP upgrade

Maciej Stachowiak <mjs@apple.com> Tue, 07 December 2010 07:03 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA7263A68C2 for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 23:03:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.226
X-Spam-Level:
X-Spam-Status: No, score=-107.226 tagged_above=-999 required=5 tests=[AWL=-0.627, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uu+nRctngXAP for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 23:03:40 -0800 (PST)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 123F83A6923 for <hybi@ietf.org>; Mon, 6 Dec 2010 23:03:40 -0800 (PST)
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out3.apple.com (Postfix) with ESMTP id 4FC1DBDC7C54 for <hybi@ietf.org>; Mon, 6 Dec 2010 23:05:05 -0800 (PST)
X-AuditID: 11807130-b7bedae0000025cd-d9-4cfddca13697
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay11.apple.com (Apple SCV relay) with SMTP id 70.30.09677.1ACDDFC4; Mon, 6 Dec 2010 23:05:05 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.72.145.151] by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LD1007XXQC8XF20@et.apple.com> for hybi@ietf.org; Mon, 06 Dec 2010 23:05:05 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net>
Date: Mon, 06 Dec 2010 23:04:55 -0800
Message-id: <4F2580A7-79C2-4B0A-BCE5-7FB6D9AA0ED7@apple.com>
References: <AANLkTin6=8_Bhn2YseoSHGh1OSkQzsYrTW=fMiPvYps1@mail.gmail.com> <20101126000352.ad396b9a.eric@bisonsystems.net> <AANLkTimzQyG4hugOvHqoNrBrZFA4fGbGXQ7MZ2i+68dO@mail.gmail.com> <BB947F6D-15AA-455D-B830-5E12C80C1ACD@mnot.net> <81870DB1-B177-4253-8233-52C4168BE99D@apple.com> <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <57D4B885-B1D8-482F-8747-6460C0FFF166@apple.com> <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.1082)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 07:03:41 -0000

On Dec 6, 2010, at 10:44 PM, Mark Nottingham wrote:

> 
> On 07/12/2010, at 5:16 PM, Maciej Stachowiak wrote:
>> Even if declare that WebSocket is not "meant to" be served by the same origin server as HTTP, we still have the following issues:
>> 
>> - We don't want WebSocket to be usable to attack an HTTP origin server. Even if WebSocket connects are not "meant to" go to an HTTP server, an attacker can still choose to do this, so we must defend against this scenario.
>> - We don't want WebSocket to be usable to attack an HTTP intermediary. The attacks described by Adam and Eric do not depend on the concept that a network protocol is meant to go to an HTTP server, indeed, attacks are possible with Java sockets and Flash sockets, which don't care at all what kind of server is at the other end.
>> - We don't want WebSocket servers to be easily attackable using HTTP clients built into Web browsers, since we have learned from HTTP's history of cross-protocol attacks and are responsible enough to avoid creating the same kinds of problems.
>> - If WebSocket was blatantly incompatible with HTTP, the good folks of the IETF would probably not be happy about using it over port 80.
>> 
>> I think this ends up putting us in the same basic design space that we've already been discussing for the WebSocket protocol, even if we don't think it is a recommended setup to serve WebSocket and HTTP from the same port on the same host at the same time. In fact, even if we don't recommend using WebSocket over port 80, as long as the in-browser client lets Web applications choose the port, most of the above issues arise.
>> 
>> About the only simplification from this kind of scheme would be that we don't have to care about making it easy for infrastructure to dispatch between WebSocket and HTTP. We'd just have to make sure HTTP servers will bail early.
> 
> These are all absolutely still concerns, but we have proposals for addressing them. 

Indeed, we do, and they result in something that is reasonably HTTP-compatible, enough that you could make a two-way server. 
> 
> The difference is that we wouldn't have to figure out how to make it safe *and* compatible with the existing HTTP infrastructure; we wouldn't have to catch all of the accidental / deployment issues as well as the active attacks.
> 
> That would make the way forward fairly simple:
> 
> 1) Designate a new port for Websockets traffic
> 2) Allow that to be overridden (much as with HTTP and pretty much every other protocol) for people who have immediate deployment considerations (i.e., they'll use 443)
> 3) Design the protocol so that it can't spoof other protocols, by using a selection of techniques:
>  a) Exchanging a nonce, with HMAC response
>  b) Armouring each message 
>  c) Encrypting the whole damn thing
> *without* the pretence that it's HTTP.
> 
> I'm sure (3) is an oversimplification and/or just plain wrong, but that's why we have Adam. #1 gives us a long-term safe deployment strategy, whereas #2 lets the impatient deploy right away, and also gives a fallback if #1 doesn't take off in the long run.

Adam and Eric's proposal basically does what you say, except that it doesn't designate a new port for WebSocket traffic, and it makes a small nod towards letting servers and server-side infrastructure dispatch between WebSocket and HTTP on the same port. I am not sure it would simplify things much to abandon those goals.

If the goal was not to interoperate with HTTP at all, it would be much better to use an approach where everything is encrypted. One plausible way to do that would be to restrict the protocol to TLS-only, at which point the nextprotoneg proposal can take care of dispatch without having to involve the HTTP layer. I think this is a plausible option, but many hybi WG members have expressed concern about the performance issues and other barriers to deployment of an all-TLS solution.

Another approach is to invent our own crypto and start with a key exchange. Inventing crypto makes me nervous compared to using something known (such TLS), and might well impose many of the same costs that folks are worried about with TLS.

It's also worth noting that operating over ports 80/443 and coexisting with an HTTP server are goals that come from our charter and requirements document, so abandoning those goals would likely require a major reboot of the group. We already have implementors impatient to see a production-shippable protocol, it doesn't seem so great to me to go back to the drawing board.

Regards,
Maciej