Re: [hybi] Proposal: HTTP upgrade process
Salvatore Loreto <salvatore.loreto@ericsson.com> Tue, 17 August 2010 12:30 UTC
Return-Path: <salvatore.loreto@ericsson.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 46CC43A694E for <hybi@core3.amsl.com>; Tue, 17 Aug 2010 05:30:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.882
X-Spam-Level:
X-Spam-Status: No, score=-105.882 tagged_above=-999 required=5 tests=[AWL=0.716, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p+Kz62wjy5sg for <hybi@core3.amsl.com>; Tue, 17 Aug 2010 05:30:40 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by core3.amsl.com (Postfix) with ESMTP id 46FA93A694A for <hybi@ietf.org>; Tue, 17 Aug 2010 05:30:40 -0700 (PDT)
X-AuditID: c1b4fb3d-b7b90ae00000278d-5e-4c6a8112ab86
Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id C4.ED.10125.2118A6C4; Tue, 17 Aug 2010 14:31:14 +0200 (CEST)
Received: from esealmw126.eemea.ericsson.se ([153.88.254.170]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Aug 2010 14:31:14 +0200
Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Aug 2010 14:31:14 +0200
Received: from nomadiclab.lmf.ericsson.se (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id DFCC227F0 for <hybi@ietf.org>; Tue, 17 Aug 2010 15:31:13 +0300 (EEST)
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id A6BB54FCE5 for <hybi@ietf.org>; Tue, 17 Aug 2010 15:31:13 +0300 (EEST)
Received: from Salvatore-Loretos-MacBook-Pro.local (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 2E0394FCE4 for <hybi@ietf.org>; Tue, 17 Aug 2010 15:31:13 +0300 (EEST)
Message-ID: <4C6A8110.90502@ericsson.com>
Date: Tue, 17 Aug 2010 14:31:12 +0200
From: Salvatore Loreto <salvatore.loreto@ericsson.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6
MIME-Version: 1.0
To: hybi@ietf.org
References: <AANLkTi=aR8+LgcoXDVhuu-HC2k3TB6YP2WcXEo8yC1Jz@mail.gmail.com> <A311A6D0-B88B-4842-867C-A9D254DE0132@apple.com>
In-Reply-To: <A311A6D0-B88B-4842-867C-A9D254DE0132@apple.com>
Content-Type: multipart/alternative; boundary="------------070002080403040207020709"
X-Virus-Scanned: ClamAV using ClamSMTP
X-OriginalArrivalTime: 17 Aug 2010 12:31:14.0233 (UTC) FILETIME=[14F32290:01CB3E08]
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [hybi] Proposal: HTTP upgrade process
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2010 12:30:42 -0000
On 8/16/10 11:05 AM, Maciej Stachowiak wrote:
> On Aug 15, 2010, at 6:23 PM, Greg Wilkins wrote:
>
>
>> All,
>>
>> there has been a lot of posting about the -76/-00 style handshake,
>> it's HTTP compliance issues, it's fast fail (or otherwise)
>> characteristics, it security features etc. I don't think any of the
>> conversations have been very productive nor is there any apparent
>> convergence on a solution.
>>
>> I think the reason for his is that we are starting with a solutions
>> (the 8 random bytes etc.) and trying to reverse engineer the
>> requirements for it and a retrospective consensus for it's inclusion
>> into the draft. Thus I would like to propose that we re-start
>> consideration of the handshake with the -75 style handshake and try to
>> move forward from there by identifying problems/requirements,
>> discussing solutions and then applying the consensus solution to move
>> forward.
>>
> It's not clear to me if the random 8 bytes have been sufficiently justified. My understanding is that it's intended as a fast-fail mechanism for problematic intermediaries, but I don't think it's been demonstrated that it works. However, I do not think reverting to an earlier version of the protocol would be a productive step:
>
> (1) The WG adopted the -76 version. It seems reasonable to me that we should move forward from there. Jumping back to earlier versions will just force us to re-solve various problems.
>
as explained in previous mail
draft-ietf-hybi-thewebsocketprotocol-00 was used as an input document
for the HyBi WG. As it is an Internet-Draft, it is work in
progress. In other words, it is subject to change.
having said that, I agree that any changes should move the spec forward,
be an improvement and solve the issues that
have been founded and largely discussed within the WG.
So restart from -75 does not make sense.
> (2) The -75 version had significant vulnerability to cross-protocol attacks, which is a critical security issue. While -76 is not the best effort we've seen, it is far better than -75. These security fixes are not all dependent on the magic 8 bytes. I think it would be irrational to revert critical security security fixes over a tangentially related issue.
>
> (3) At the time of the -75 draft, it was claimed by many WG that it was not HTTP compliant. If that is indeed the case, then I do not see what purpose is served by trading the non-HTTP-compliance of -76 for the different non-HTTP-compliance of -75.
>
> Conclusion: we should solve the "8 random bytes" problem, or at least, figure out if the benefits outweigh the costs, but not by reverting to an earlier draft.
>
there has been a lot of mails and good technical discussion about
- the need of "8 random bytes" for security reasons
- the fact that as the "8 random bytes" are used in the 00 wg version
they do not work for reverse proxies and are non-HTTP-compliance,
- the possibility to use the "8 random bytes" in a way that both work
with reverse proxies and are HTTP-compliance among the others:
* inserting the 8 random bytes in an header
* using the Willy Tarreau analysis/proposal explained in
http://www.ietf.org/mail-archive/web/hybi/current/msg03238.html
So in order to move the work forward I would invite people to send out
text (in an adhoc thread) proposing an handshake that address all the
concerns raised from
different people (in the same way is happening for the frame issue).
regards
/Sal
> Regards,
> Maciej
>
>
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>
--
Salvatore Loreto
www.sloreto.com
- Re: [hybi] Proposal: HTTP upgrade process Vladimir Katardjiev
- [hybi] Proposal: HTTP upgrade process Greg Wilkins
- Re: [hybi] Proposal: HTTP upgrade process Willy Tarreau
- Re: [hybi] Proposal: HTTP upgrade process Maciej Stachowiak
- Re: [hybi] Proposal: HTTP upgrade process Daniel Stenberg
- Re: [hybi] Proposal: HTTP upgrade process Shelby Moore
- Re: [hybi] Proposal: HTTP upgrade process Vladimir Katardjiev
- Re: [hybi] Proposal: HTTP upgrade process Willy Tarreau
- Re: [hybi] Proposal: HTTP upgrade process Vladimir Katardjiev
- Re: [hybi] Proposal: HTTP upgrade process Salvatore Loreto
- Re: [hybi] Proposal: HTTP upgrade process Shelby Moore