IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

John Tamplin <jat@google.com> Tue, 07 December 2010 09:29 UTC

Return-Path: <jat@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77F7A3A6943 for <hybi@core3.amsl.com>; Tue, 7 Dec 2010 01:29:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.58
X-Spam-Level:
X-Spam-Status: No, score=-109.58 tagged_above=-999 required=5 tests=[AWL=-0.203, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tq9uPeAu-ueQ for <hybi@core3.amsl.com>; Tue, 7 Dec 2010 01:29:27 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 56BC93A6942 for <hybi@ietf.org>; Tue, 7 Dec 2010 01:29:27 -0800 (PST)
Received: from kpbe11.cbf.corp.google.com (kpbe11.cbf.corp.google.com [172.25.105.75]) by smtp-out.google.com with ESMTP id oB79UpYM004902 for <hybi@ietf.org>; Tue, 7 Dec 2010 01:30:51 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1291714251; bh=O8qchWoZvlUySDvYXuaEDAKHL+g=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=jp5moWDxugWk5DGW+CVFVzd86zuRQgalITthTOQAZ304Qm6C4T8NWP1qadtSg0Z/K VqApugj6d60Tf14Qbs+qA==
Received: from ywo7 (ywo7.prod.google.com [10.192.15.7]) by kpbe11.cbf.corp.google.com with ESMTP id oB79UnAG018699 for <hybi@ietf.org>; Tue, 7 Dec 2010 01:30:50 -0800
Received: by ywo7 with SMTP id 7so516351ywo.21 for <hybi@ietf.org>; Tue, 07 Dec 2010 01:30:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=YrIjZ1nsa8BG4S+cFCXRvADTNpeQv3lBNK/pPjosKqU=; b=WKmPLkcf8wm2J7+jEsUEYxrIGdeSWKQCU2+1hznxV4/Rkn/f34YruGL1hxvdIi66kL ulg2WmKuzbl11ckfAE+w==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=xrIteWuODhXMOFkpLzyo5lFZjRA14TNf9Y69a7hCEFWx1mIihCTLI4pPKedJEZIUpG VKe8zwMUE2y7v7Jfqd0w==
Received: by 10.151.158.12 with SMTP id k12mr1313797ybo.377.1291714248183; Tue, 07 Dec 2010 01:30:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.150.217.12 with HTTP; Tue, 7 Dec 2010 01:30:28 -0800 (PST)
In-Reply-To: <AANLkTimDtvq1+C2XPrzpEntSuRz-r183sifx3j7ojk4j@mail.gmail.com>
References: <AANLkTin6=8_Bhn2YseoSHGh1OSkQzsYrTW=fMiPvYps1@mail.gmail.com> <20101126000352.ad396b9a.eric@bisonsystems.net> <AANLkTimzQyG4hugOvHqoNrBrZFA4fGbGXQ7MZ2i+68dO@mail.gmail.com> <BB947F6D-15AA-455D-B830-5E12C80C1ACD@mnot.net> <81870DB1-B177-4253-8233-52C4168BE99D@apple.com> <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <57D4B885-B1D8-482F-8747-6460C0FFF166@apple.com> <37A00E8D-B55C-49AD-A85C-A299C80FFF17@mnot.net> <4F2580A7-79C2-4B0A-BCE5-7FB6D9AA0ED7@apple.com> <AANLkTimDtvq1+C2XPrzpEntSuRz-r183sifx3j7ojk4j@mail.gmail.com>
From: John Tamplin <jat@google.com>
Date: Tue, 07 Dec 2010 04:30:28 -0500
Message-ID: <AANLkTi=QdjzG9sN2QH-kAqVNvDnPpWDTKrOMxC1wt_sT@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 09:29:28 -0000

On Tue, Dec 7, 2010 at 2:31 AM, Greg Wilkins <gregw@webtide.com> wrote:
> I do come back to the fact that using another port does not give a
> perfect success rate, but then neither does CONNECT or
> GET+Upgrade+Hello.    Opening new ports seams like an easier ask than
> convincing intermediaries to change their CONNECT and/or Upgrade
> handling.

I asked if we should consider that option in
http://www.ietf.org/mail-archive/web/hybi/current/msg04563.html and
there seemed to be little support for it and would require changing
the charter of the group.

Options at this point:
 1) stick with GET+Upgrade, which probably means masking
     everything in the payload in a way which can't be attacker
     controlled, which seems expensive
 2) convince detractors that using CONNECT as proposed is
     not violating the HTTP spec
 3) use a dedicated port, which means changing the charter
     and still requires addressing cross-protocol attacks in
     attacker-controlled payload
 4) wait for TLS-NPN or just use GET+Upgrade always over
     TLS on port 44 (ws vs wss would indicate whether to
     validate the cert)
 5) something else that hasn't had much discussion, such as
     POST chunked encoding in each direction

Any other options?

-- 
John A. Tamplin
Software Engineer (GWT), Google

v2.23.0 | Report a Bug | By Email