Re: [hybi] Upgrade Mechanism and HasMat (was Re: Extensibility mechanisms?)

Maciej Stachowiak <mjs@apple.com> Thu, 22 July 2010 16:39 UTC

MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_IXKhSTG4Jt2zvqm3/gvL6g)"
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <4C47FF71.3050000@ericsson.com>
Date: Thu, 22 Jul 2010 09:40:04 -0700
Message-id: <AD95281A-605D-4169-9E4A-82D0C57F524E@apple.com>
References: <Pine.LNX.4.64.1007212153110.7242@ps20323.dreamhostps.com> <AANLkTiku76oSucTNDFdwgsFBNFa_cCpC-YktTnMfX47-@mail.gmail.com> <4C479130.4020500@caucho.com> <AANLkTikLDjBP-Xs5t6TxmJuq4nG8jwThQ=n34B4cEmup@mail.gmail.com> <4C479CE4.6070805@caucho.com> <AANLkTims1er0Rbv0ysP4gRs1Kd0He8hapHeJ3nON=JQa@mail.gmail.com> <4C47C5B0.3030006@caucho.com> <AANLkTi=ND-FOH8OoD=TCbiyeSZ-h0LhxQBXN5w-2hfvj@mail.gmail.com> <20100722055452.GL7174@1wt.eu> <AANLkTik_rpxo=1OfzHkwpC5soQG_NxvGuZNXx7gdhVTh@mail.gmail.com> <20100722064945.GM7174@1wt.eu> <AANLkTim7AsQGSwLE51uktj=B1vB6roZChAtDoCrE6fFG@mail.gmail.com> <4C47FF71.3050000@ericsson.com>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Cc: hybi@ietf.org
Subject: Re: [hybi] Upgrade Mechanism and HasMat (was Re: Extensibility mechanisms?)
Precedence: list

On Jul 22, 2010, at 1:21 AM, Salvatore Loreto wrote:

> Hi Adam,
> 
> first let me thank you, Willy, Maciej  for the discussion about cross-protocol vulnerability,
> having the explanation and picture of the problem always help the discussion and boost the
> possibility to find a good solution.
> 
> from my personal point of view,
> I see more value to work on a general solution to secure the HTTP Upgrade mechanism 
> against cross-protocol vulnerability, instead of trying to draft something ad-hoc for WebSocket
> 
> actually that sounds at least to me as something that perfectly fit in the HasMat BoF.
> 
> "The goal of this working group is to standardize a small number of
> selected specifications that have proven to improve security of Internet
> Web applications. The requirements guiding the work will be taken from
> the Web application and Web security communities.
> It would be extremely good if you (or someone else) can arrange a short presentation about this issue during the HasMat BoF!
> If nobody volunteer I can prepare a couple of slides (taking advantage of what you have discussed in this thread)
> and ask 5 minutes to the HasMat chairs to present them.

I'm not sure that is a good approach to the problem, for two reasons:

1) Cross-protocol vulnerabilities are highly dependent on the details, and it matters very much what the upgrade request looks like, and what protocol is used after upgrading. Upgrading to WebSocket has very different considerations from upgrading to TLS (RFC2817). It's not clear to me that this problem can be solved in a generic way.

2) Even if the problem could be solved generically for any instance of HTTP Upgrade, it would create significant delay if we add a dependency to WebSocket Protocol on a dependency that is currently undefined.

Regards,
Maciej

[hybi] Extensibility mechanisms? Justin Erenkrantz
Re: [hybi] Extensibility mechanisms? Thomson, Martin
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? Justin Erenkrantz
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Justin Erenkrantz
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Extensibility mechanisms? Thomson, Martin
Re: [hybi] Extensibility mechanisms? Roberto Peon
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Julian Reschke
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Julian Reschke
Re: [hybi] Extensibility mechanisms? Martin J. Dürst
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? Ian Hickson
[hybi] HTTP is not a disaster. Was: Extensibility… Greg Wilkins
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? Jamie Lokier
Re: [hybi] Extensibility mechanisms? Julian Reschke
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] HTTP is not a disaster. Was: Extensibi… Pieter Hintjens
Re: [hybi] Extensibility mechanisms? Pieter Hintjens
Re: [hybi] Extensibility mechanisms? Bjoern Hoehrmann
[hybi] NAT reset recovery? Was: Extensibility mec… Markus.Isomaki
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] Extensibility mechanisms? Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Vladimir Katardjiev
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Vladimir Katardjiev
[hybi] WebSocket, TLS and intermediaries Vladimir Katardjiev
Re: [hybi] Extensibility mechanisms? Roberto Peon
Re: [hybi] Extensibility mechanisms? Roberto Peon
Re: [hybi] Extensibility mechanisms? Julian Reschke
Re: [hybi] Extensibility mechanisms? Pieter Hintjens
Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
Re: [hybi] NAT reset recovery? Was: Extensibility… Greg Wilkins
Re: [hybi] NAT reset recovery? Was: Extensibility… Vladimir Katardjiev
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
Re: [hybi] NAT reset recovery? Was: Extensibility… Thomson, Martin
Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
Re: [hybi] NAT reset recovery? Was: Extensibility… Thomson, Martin
Re: [hybi] NAT reset recovery? Was: Extensibility… Vladimir Katardjiev
Re: [hybi] NAT reset recovery? Was: Extensibility… Dave Cridland
Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
Re: [hybi] NAT reset recovery? Was: Extensibility… Dave Cridland
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
Re: [hybi] WebSocket, TLS and intermediaries Ian Hickson
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] Extensibility mechanisms? John Tamplin
Re: [hybi] Extensibility mechanisms? Roberto Peon
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? Jack Moffitt
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] WebSocket, TLS and intermediaries Mike Belshe
Re: [hybi] WebSocket, TLS and intermediaries Maciej Stachowiak
Re: [hybi] WebSocket, TLS and intermediaries John Tamplin
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] WebSocket, TLS and intermediaries Roberto Peon
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] WebSocket, TLS and intermediaries Roberto Peon
Re: [hybi] Extensibility mechanisms? Roberto Peon
Re: [hybi] WebSocket, TLS and intermediaries Greg Wilkins
Re: [hybi] Extensibility mechanisms? Thomson, Martin
Re: [hybi] WebSocket, TLS and intermediaries Thomson, Martin
Re: [hybi] Extensibility mechanisms? Jamie Lokier
Re: [hybi] WebSocket, TLS and intermediaries Maciej Stachowiak
Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
Re: [hybi] Extensibility mechanisms? Willy Tarreau
Re: [hybi] Extensibility mechanisms? Willy Tarreau
Re: [hybi] Extensibility mechanisms? Roberto Peon
Re: [hybi] WebSocket, TLS and intermediaries Julian Reschke
Re: [hybi] Extensibility mechanisms? Simone Bordet
Re: [hybi] Extensibility mechanisms? Simone Bordet
Re: [hybi] WebSocket, TLS and intermediaries Maciej Stachowiak
Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
Re: [hybi] WebSocket, TLS and intermediaries Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Ian Hickson
Re: [hybi] WebSocket, TLS and intermediaries Ian Hickson
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] WebSocket, TLS and intermediaries Mike Belshe
Re: [hybi] WebSocket, TLS and intermediaries Greg Wilkins
Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] WebSocket, TLS and intermediaries Roberto Peon
Re: [hybi] Extensibility mechanisms? Willy Tarreau
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Extensibility mechanisms? Willy Tarreau
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
[hybi] Upgrade Mechanism and HasMat (was Re: Exte… Salvatore Loreto
Re: [hybi] Extensibility mechanisms? Willy Tarreau
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Roy T. Fielding
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Salvatore Loreto
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Willy Tarreau
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Dave Cridland
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Willy Tarreau
Re: [hybi] Extensibility mechanisms? Willy Tarreau
Re: [hybi] Extensibility mechanisms? John Tamplin
Re: [hybi] Extensibility mechanisms? Willy Tarreau
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Dave Cridland
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Dave Cridland
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? John Tamplin
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Maciej Stachowiak
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Adam Barth
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Extensibility mechanisms? Mike Belshe
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Roy T. Fielding
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … John Tamplin
Re: [hybi] Extensibility mechanisms? Willy Tarreau
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Roy T. Fielding
Re: [hybi] Extensibility mechanisms? Simon Pieters
Re: [hybi] Extensibility mechanisms? Greg Wilkins
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Greg Wilkins
Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Maciej Stachowiak
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Jamie Lokier
Re: [hybi] Extensibility mechanisms? Jamie Lokier
Re: [hybi] Extensibility mechanisms? Jamie Lokier
Re: [hybi] Extensibility mechanisms? Jamie Lokier
Re: [hybi] Extensibility mechanisms? Adam Barth
Re: [hybi] Extensibility mechanisms? Scott Ferguson
Re: [hybi] WebSocket, TLS and intermediaries Patrick McManus