Re: [hybi] Why not just use ssh?

Eric Rescorla <ekr@rtfm.com> Tue, 31 August 2010 20:55 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB4193A6B14 for <hybi@core3.amsl.com>; Tue, 31 Aug 2010 13:55:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.847
X-Spam-Level:
X-Spam-Status: No, score=-100.847 tagged_above=-999 required=5 tests=[AWL=-0.360, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozSYr7eN4JLm for <hybi@core3.amsl.com>; Tue, 31 Aug 2010 13:55:06 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 2D1593A6B17 for <hybi@ietf.org>; Tue, 31 Aug 2010 13:55:06 -0700 (PDT)
Received: by bwz9 with SMTP id 9so5814349bwz.31 for <hybi@ietf.org>; Tue, 31 Aug 2010 13:55:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.204.98.198 with SMTP id r6mr4845811bkn.51.1283288136008; Tue, 31 Aug 2010 13:55:36 -0700 (PDT)
Received: by 10.204.144.149 with HTTP; Tue, 31 Aug 2010 13:55:35 -0700 (PDT)
In-Reply-To: <d48398080b610405d982ffd924f58e27.squirrel@sm.webmail.pair.com>
References: <d48398080b610405d982ffd924f58e27.squirrel@sm.webmail.pair.com>
Date: Tue, 31 Aug 2010 13:55:35 -0700
Message-ID: <AANLkTin8CiHFoOSFdcRPern5YY-FdODC4GST+BrP3t_j@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: shelby@coolpage.com
Content-Type: multipart/alternative; boundary="001636499f777dc4ac048f24cd01"
Cc: hybi@ietf.org
Subject: Re: [hybi] Why not just use ssh?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2010 20:55:08 -0000

On Tue, Aug 31, 2010 at 1:41 PM, Shelby Moore <shelby@coolpage.com> wrote:

> >> I think we need to deliver on HTTP Upgrade.
> >
> > TLS works over any port.  The point of using TLS alone is to block
> > cross-protocol attacks.  If we provide both TLS and non-TLS options,
> > the attackers will choose the non-TLS option for their attackers
> > whereas the folks who actually want to connect to the server more than
> > 60-some percent of the time will use the TLS option.  Offering both is
> > a lose-lose.
>
> Nothwithstanding that I think cross-protocol attacks are the fault of the
> target protocol, do not forget that browsers can allow users to turn off
> or opt in to certain features.
>

I don't see the relevance of this.

The extant protocols have whatever set of security properties they have.
The browser security model is designed to prevent Web sites from exploiting
them. I don't consider (and as far as I can tell, pretty much nobody else
considers)
shipping a solution that threatens the security of those protocols to be an
option.

As for turning features on or off, I have no idea what you propose there. If
some
feature needs to be turned on to make legitimate sites work, then users will
turn
it on for every site. If it's made too difficult to turn on then sites won't
be able to
count on it and it will go unused. Extensive HCI research indicates that
users
simply can't discriminate effectively in these matters.

Adam: I'm not entirely clear on your point. I agree that if the HTTP version
is more
vulnerable to cross-protocol attacks than attackers will exploit it, but if
the
HTTP and HTTPS versions are equally vulnerable, why would attackers
favor HTTP? What am I missing.
-Ekr