Re: [hybi] Insight you need to know: Browsers are at fault when servers crash

Greg Wilkins <gregw@webtide.com> Mon, 26 July 2010 00:06 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 86AD03A6403 for <hybi@core3.amsl.com>; Sun, 25 Jul 2010 17:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[AWL=-0.753, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aH7ulfVX5q8L for <hybi@core3.amsl.com>; Sun, 25 Jul 2010 17:06:49 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 2E9FF3A63EC for <hybi@ietf.org>; Sun, 25 Jul 2010 17:06:49 -0700 (PDT)
Received: by fxm1 with SMTP id 1so6462679fxm.31 for <hybi@ietf.org>; Sun, 25 Jul 2010 17:07:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.111.137 with SMTP id s9mr5685608fap.30.1280102829224; Sun, 25 Jul 2010 17:07:09 -0700 (PDT)
Received: by 10.223.112.129 with HTTP; Sun, 25 Jul 2010 17:07:09 -0700 (PDT)
In-Reply-To: <AANLkTilfxps1wWjFrwrH_3Js6Q9E331AMKFRNHfeHcdL@mail.gmail.com>
References: <AANLkTilfxps1wWjFrwrH_3Js6Q9E331AMKFRNHfeHcdL@mail.gmail.com>
Date: Mon, 26 Jul 2010 10:07:09 +1000
Message-ID: <AANLkTi=vPAnnK0=gE=YN10vt9b-f6sWXXcwK+La5SriO@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Mike Belshe <mike@belshe.com>
Content-Type: multipart/alternative; boundary="001636e0a749697565048c3f2a93"
Cc: hybi@ietf.org
Subject: Re: [hybi] Insight you need to know: Browsers are at fault when servers crash
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 00:06:50 -0000

Mike,

thanks for translating the intent of the browser dudes and explaining why
they are so concerned about this issue.

I am certainly not opposed to taking measures to ensure that websocket is
not a easy-touch for attackers to use against other protocols and also to
make it more robust against attacks itself.    I think these are reasonable
requirements.

However, I still don't see why the only acceptable solution to these
concerns has to be a rigid non compliant HTTP handshake with space counting
and unframed bytes on the wire?

I think this WG has to clearly accept the concerns of browser vendors and
make sure that the requirements clearly capture them.     But in return, the
browser vendors have to accept that there is more than one way to skin a
cat, and perhaps we can consider alternative solutions than the one that is
currently causing significant objections and real world problems.

cheers