[hybi] deflate-stream and masking

Greg Wilkins <gregw@intalio.com> Mon, 20 June 2011 06:33 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D9AF321F849A for <hybi@ietfa.amsl.com>; Sun, 19 Jun 2011 23:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.755
X-Spam-Status: No, score=-2.755 tagged_above=-999 required=5 tests=[AWL=0.222, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id kXiWXv40uFzO for <hybi@ietfa.amsl.com>; Sun, 19 Jun 2011 23:33:14 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2201221F856E for <hybi@ietf.org>; Sun, 19 Jun 2011 23:33:13 -0700 (PDT)
Received: by vxi40 with SMTP id 40so551641vxi.31 for <hybi@ietf.org>; Sun, 19 Jun 2011 23:33:12 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id g4mr3182466vdw.278.1308551592833; Sun, 19 Jun 2011 23:33:12 -0700 (PDT)
Received: by with HTTP; Sun, 19 Jun 2011 23:33:12 -0700 (PDT)
Date: Mon, 20 Jun 2011 16:33:12 +1000
Message-ID: <BANLkTi=UVMAd1nER6mRBe7zoD29CSbCkGA@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: Hybi <hybi@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: [hybi] deflate-stream and masking
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2011 06:33:15 -0000

As part of my continuing campaign against including deflate-stream in
the specification as a standard extension, I did a quick test of how
well it works when applied to masked frames.

I took a days worth of traffic from an IRC channel and wrapped it up
as JSON messages sent as websocket frames.
There were 487 message that looked like:

     {channel:"#webtide", username:"tbecker", text:"joakime: jenkins
had issues pulling from github a couple of times  last week"}

As an unmasked WS stream, it was 50675 bytes, and as a masked stream
is was 52623 bytes.
I then compressed both these streams with gzip and got 13306 bytes for
unmasked and 51704 bytes for the masked!!!!

So for this very typical example, masking was sufficiently random to
completely negate the benefits of compression.

So the deflate-stream "extension" is:

 + next to useless for inbound traffic
 + breaks all the rules of what an extension can do
 + is potentially vulnerable to injection as attackers can send
repeated patterns that may subvert masking
 + can be replaced by the in-frame compression extension already proposed.
 + was inserted in the draft with little or no discussion and without
clear consensus.

Can I call for a straw poll of who wants to keep this extension in the spec?