Re: [hybi] Shipping WebSockets
Mark Nottingham <mnot@mnot.net> Thu, 16 December 2010 03:33 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07DF528C137 for <hybi@core3.amsl.com>; Wed, 15 Dec 2010 19:33:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.568
X-Spam-Level:
X-Spam-Status: No, score=-104.568 tagged_above=-999 required=5 tests=[AWL=-1.969, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iv0s13lCHNJ6 for <hybi@core3.amsl.com>; Wed, 15 Dec 2010 19:33:29 -0800 (PST)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by core3.amsl.com (Postfix) with ESMTP id 69C9F28C0F8 for <hybi@ietf.org>; Wed, 15 Dec 2010 19:33:26 -0800 (PST)
Received: from chancetrain-lm.mnot.net (unknown [118.209.2.20]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 780A022E254; Wed, 15 Dec 2010 22:35:02 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <011E0760-A64B-4C26-B2CF-6F5CDCA0EC25@apple.com>
Date: Thu, 16 Dec 2010 14:35:00 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <800B3348-0B58-4DA4-B416-5EC2C3BC0120@mnot.net>
References: <B0B3789C-1D3C-4A4E-B37F-8F43FFC7D905@mnot.net> <AANLkTi=Z8Hcp7FBDumgMPH4YmQ1=yqOPwAxD095yzLBt@mail.gmail.com> <AANLkTik6etgMy7jDhWtg+xqhoMzsJy-4U-xveue2gD32@mail.gmail.com> <AANLkTimw5bHL+GwkMhPC5DwLUJZzeSvfURQQy-XSJxpi@mail.gmail.com> <F16F4A8A-CFBD-44C1-B4A2-EC209E793AF7@mimectl> <07788BB1-182D-4260-A73B-8082D7463BF9@mnot.net> <011E0760-A64B-4C26-B2CF-6F5CDCA0EC25@apple.com>
To: Maciej Stachowiak <mjs@apple.com>
X-Mailer: Apple Mail (2.1082)
Cc: "hybi@ietf.org HTTP" <hybi@ietf.org>
Subject: Re: [hybi] Shipping WebSockets
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2010 03:33:31 -0000
On 16/12/2010, at 12:20 PM, Maciej Stachowiak wrote: > > On Dec 15, 2010, at 4:59 PM, Mark Nottingham wrote: > >> From an HTTP standpoint, this looks good to me, and it nicely demonstrates a point I've been trying to make repeatedly -- that we don't have to fall into the trap of a false choice between the 'old' upgrade proposal and the CONNECT proposal. >> >> I'm very interested to hear the reactions of the CONNECT proponents. > > - I don't think this proposal does anything to address the flaws found by Adam's study. Can you be more specific, Maciej? If the hybi-specific handshake is sufficiently unlike an HTTP request/response pair, it should fail when there's an intercepting proxy interposed. > - In fact I don't think anything about this proposal meaningfully improves security relative to the current draft. Some of the changes may have good non-security motivations I see it as a waste of time to putter around the edges of the handshake until we have security figured out. Security issues currently make the protocol non-viable. I don't see the value in producing more drafts that are not safe to ship in product. See above. Perhaps you haven't examined the proposal closely enough. > - The summary claims that this handshake doesn't introduce a round trip, but it clearly does, since the hello frames are only exchanged after the handshake completes. I don't see any indication that the client nor server needs to block before sending; only that a certain frame must be sent before any others, in each direction. That shouldn't add a round trip. > (That's setting aside the obvious point that this internet-draft is not suitable for use as drop-in spec text, both due to being written as an old vs. new comparison and due to insufficient detail.) As pointed out in the draft, this is a very typical change proposal. If you're going to reject proposals based on their formatting, we are indeed in for the long haul. Regards, > > For these reasons, I think the proposed draft is not a particularly useful direction. > > Regards, > Maciej > > >> >> Regards, >> >> >> On 16/12/2010, at 5:30 AM, Gabriel Montenegro wrote: >> >>> FYI, we have submitted a draft that's essentially the handshake that Greg proposed a while back. >>> We'd like to use it as a basis for further iteration. >>> >>> http://tools.ietf.org/html/draft-montenegro-hybi-upgrade-hello-handshake >>> >>> Agree on base64. >>> >>> Gabriel >>> From: hybi-bounces@ietf.org [hybi-bounces@ietf.org] on behalf of Greg Wilkins [gregw@webtide.com] >>> Sent: Wednesday, December 15, 2010 09:03 >>> To: John Tamplin >>> Cc: hybi@ietf.org HTTP >>> Subject: Re: [hybi] Shipping WebSockets >>> >>> On 15 December 2010 17:44, John Tamplin <jat@google.com> wrote: >>>> On Wed, Dec 15, 2010 at 3:39 AM, Greg Wilkins <gregw@webtide.com> wrote: >>>>> Does anybody object to wrapping the nonce/hash bytes sent after the >>>>> handshake requests as HELLO frames? This means that implementations >>>>> only need to deal with 2 framing mechanisms not 3. >>>> >>>> In the absence of information about the rest of the handshake, yes. >>>> All else being equal, I would prefer they be included in headers. >>> >>> Well I would not argue with them being headers either. >>> >>> >>>> I don't understand what you mean about 2 framing mechanisms instead of 3 though. >>> >>> The connection opens, you first have to parse HTTP. You then have to >>> parse 8 bytes. You then parse websocket packets. >>> >>> Sure that is trivial if you are writing a blocking implementation. >>> But if you want to scale, you have to be asynchronous and you can't >>> assume that all the 8 bytes will arrive at once. So you have to have >>> a little state machine to track the arrival of those bytes. This is >>> just needless complication and will be a source of errors. If the >>> bytes are framed as WS, then you can simply switch from the HTTP >>> parser to the WS parser >>> >>> Also, without any framing, then any 8 bytes sent (eg another HTTP >>> request) will look like the random bytes. This is not robust >>> >>> >>> >>> >>>>> Does anybody object to simple hex encoding of nonces and hashes? >>>> >>>> I wouldn't block it, but base64 seems better and sufficient. >>> >>> sure b64 is good also. >>> >>> >>> cheers >>> _______________________________________________ >>> hybi mailing list >>> hybi@ietf.org >>> https://www.ietf.org/mailman/listinfo/hybi >>> >>> _______________________________________________ >>> hybi mailing list >>> hybi@ietf.org >>> https://www.ietf.org/mailman/listinfo/hybi >> >> -- >> Mark Nottingham http://www.mnot.net/ >> >> >> >> _______________________________________________ >> hybi mailing list >> hybi@ietf.org >> https://www.ietf.org/mailman/listinfo/hybi > -- Mark Nottingham http://www.mnot.net/
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Greg Wilkins
- [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Bjoern Hoehrmann
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Pat McManus @Mozilla
- Re: [hybi] Shipping WebSockets John Tamplin
- Re: [hybi] Shipping WebSockets Greg Wilkins
- Re: [hybi] Shipping WebSockets Andrew Miadowicz
- Re: [hybi] Shipping WebSockets Greg Wilkins
- Re: [hybi] Shipping WebSockets Adam Barth
- Re: [hybi] Shipping WebSockets Gabriel Montenegro
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Zhong Yu
- Re: [hybi] Shipping WebSockets Adam Barth
- Re: [hybi] Shipping WebSockets Julian Reschke
- Re: [hybi] Shipping WebSockets Eric Rescorla
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets John Tamplin
- Re: [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Mark Nottingham
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] Shipping WebSockets Willy Tarreau
- [hybi] Handshake proposals, how to move forward Salvatore Loreto
- [hybi] upgrade-hello-handshake (was Re: Shipping … Salvatore Loreto
- Re: [hybi] Handshake proposals, how to move forwa… Julian Reschke
- Re: [hybi] Handshake proposals, how to move forwa… Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake proposals, how to move forwa… Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake proposals, how to move forwa… John Tamplin
- Re: [hybi] Handshake proposals, how to move forwa… Salvatore Loreto
- Re: [hybi] Handshake proposals, how to move forwa… Adam Barth
- Re: [hybi] Shipping WebSockets Bjoern Hoehrmann
- [hybi] semantic conformance in CONNECT handshake … Salvatore Loreto
- Re: [hybi] semantic conformance in CONNECT handsh… Salvatore Loreto
- Re: [hybi] Shipping WebSockets Willy Tarreau
- Re: [hybi] semantic conformance in CONNECT handsh… Ian Fette (イアンフェッティ)
- Re: [hybi] semantic conformance in CONNECT handsh… Willy Tarreau
- Re: [hybi] semantic conformance in CONNECT handsh… Eric Rescorla
- Re: [hybi] semantic conformance in CONNECT handsh… Salvatore Loreto
- [hybi] upgrade-hello-handshake (was: Re: Shipping… Bjoern Hoehrmann
- Re: [hybi] Shipping WebSockets Greg Wilkins
- Re: [hybi] Handshake proposals, how to move forwa… Greg Wilkins
- Re: [hybi] semantic conformance in CONNECT handsh… Greg Wilkins
- Re: [hybi] Shipping WebSockets Greg Wilkins
- Re: [hybi] semantic conformance in CONNECT handsh… Willy Tarreau
- Re: [hybi] semantic conformance in CONNECT handsh… Willy Tarreau
- Re: [hybi] upgrade-hello-handshake (was: Re: Ship… Willy Tarreau
- Re: [hybi] semantic conformance in CONNECT handsh… Greg Wilkins
- Re: [hybi] Wiki page to organize discussion of pr… Maciej Stachowiak
- Re: [hybi] semantic conformance in CONNECT handsh… Joe Mason
- Re: [hybi] Shipping WebSockets Joe Mason
- [hybi] Wiki page to organize discussion of propos… Maciej Stachowiak
- Re: [hybi] Wiki page to organize discussion of pr… Marshall Eubanks
- Re: [hybi] Wiki page to organize discussion of pr… Mark Nottingham
- Re: [hybi] Wiki page to organize discussion of pr… John Tamplin
- Re: [hybi] Wiki page to organize discussion of pr… Greg Wilkins
- Re: [hybi] Wiki page to organize discussion of pr… James Graham
- Re: [hybi] Wiki page to organize discussion of pr… Maciej Stachowiak
- Re: [hybi] Wiki page to organize discussion of pr… Maciej Stachowiak
- Re: [hybi] Wiki page to organize discussion of pr… Salvatore Loreto
- Re: [hybi] Wiki page to organize discussion of pr… Eric Rescorla
- Re: [hybi] Wiki page to organize discussion of pr… Jack Moffitt
- Re: [hybi] Wiki page to organize discussion of pr… Salvatore Loreto
- Re: [hybi] Wiki page to organize discussion of pr… Henrik Levkowetz
- Re: [hybi] Shipping WebSockets Dave Cridland
- Re: [hybi] semantic conformance in CONNECT handsh… Dave Cridland
- Re: [hybi] Shipping WebSockets SM
- Re: [hybi] Shipping WebSockets Maciej Stachowiak
- Re: [hybi] Shipping WebSockets Dave Cridland