Re: [hybi] Different server semantics of CONNECT
Greg Wilkins <gregw@intalio.com> Tue, 07 December 2010 07:55 UTC
Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1F653A6939 for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 23:55:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.39
X-Spam-Level:
X-Spam-Status: No, score=-2.39 tagged_above=-999 required=5 tests=[AWL=-0.013, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsfg-nMCvvR2 for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 23:55:24 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 0386D28C105 for <hybi@ietf.org>; Mon, 6 Dec 2010 23:54:38 -0800 (PST)
Received: by qwg5 with SMTP id 5so12279559qwg.31 for <hybi@ietf.org>; Mon, 06 Dec 2010 23:56:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.121.220 with SMTP id i28mr1837940vcr.46.1291708563138; Mon, 06 Dec 2010 23:56:03 -0800 (PST)
Received: by 10.220.167.203 with HTTP; Mon, 6 Dec 2010 23:56:02 -0800 (PST)
In-Reply-To: <AANLkTikw+RUNrJQoE13Jm6zkesf8AZ1JZmQdMC7wZDqQ@mail.gmail.com>
References: <AANLkTi=5Z+PhCSmgNAd5_JcLYxR1rBQX=sbTT3qEwW-W@mail.gmail.com> <49B71D64-9B5D-40DB-B823-1552C56D19E5@gbiv.com> <F1D6C4CA564CA347B3B9EB54BEA5AD7C0C942729@TK5EX14MBXC212.redmond.corp.microsoft.com> <AANLkTikw+RUNrJQoE13Jm6zkesf8AZ1JZmQdMC7wZDqQ@mail.gmail.com>
Date: Tue, 07 Dec 2010 08:56:02 +0100
Message-ID: <AANLkTik1wABExg=piVy9zpYWWu=7cUiLiMf7kW8urWRo@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: John Tamplin <jat@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Hybi <hybi@ietf.org>
Subject: Re: [hybi] Different server semantics of CONNECT
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 07:55:26 -0000
On 7 December 2010 01:47, John Tamplin <jat@google.com> wrote: > It seems that those so fundamentally opposed to using CONNECT are > setting up a no-win situation. If we can't use GET+Upgrade because > real-world implementations never bothered to implement it because it > wasn't actually used, and we can't use CONNECT because it is deemed to > be in violation of the HTTP spec, then where does that leave us? We > can use a dedicated port, in which case WebSockets will not be usable > in the near future for anyone behind a configured proxy (ie, most > corporate environments and some home ones), .... John, I do mostly agree with you that definition of acceptable use of CONNECT and the definition of "proxy" is being a little strictly applied. However, I don't agree being pushed to use a dedicated port will make websocket less usable. Consider the following experiment from the Chrome team: http://www.ietf.org/mail-archive/web/tls/current/msg05593.html whose results (from a small self selected sample) were: "The experiment tries to perform a trival WebSockets transaction over HTTP, over HTTP on a random, high numbered port (61985) and over HTTPS. This experiment is run via Chrome for users who have opted in. These are normal requests in the Chrome network stack and so will use any configured proxies. Excluding users that couldn't even do basic a HTTP transaction over the transport layer (6.37%, 10.15% and 7.91%, respectively), the success rates are: HTTP (port 80) 67% HTTP (port 61985) 86% HTTPS (port 443) 95% This results in overall sucess rates of 63%, 77% and 87%, respectively." Thus a dedicated high port is going to have a success rate of 70-80% I don't think that either CONNECT or GET+Upgrade handshakes are claiming any significantly higher success rates. Let's say we got permission to go crazy with the cheeze whiz and change HTTP in any way that we liked, we are still looking at > 10% that cannot establish a websocket connection over port 80. Even port 443 is far from perfect. All our proposed solutions suffer from connectivity issues - and I don't think that it is the fault of strict application of the HTTP specification. We are beating ourselves up here saying: "your solutions is not perfect" - "no your solution is not perfect" etc. If we grind this out to some kind of rough consensus on either connect or upgrade, we are still going to have something that is not provably secure and will fail in >10-20% of cases. A dedicated port is going to give us + the same order of magnitude of success. + a much clearer security story. + a simpler argument to intermediary venders to support WS + the option of using a CONNECT handshake on port 80 to connect to it. cheers
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Willy Tarreau
- Re: [hybi] Different server semantics of CONNECT Roy T. Fielding
- Re: [hybi] Different server semantics of CONNECT Willy Tarreau
- Re: [hybi] Different server semantics of CONNECT Adam Barth
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Julian Reschke
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Brian
- Re: [hybi] Different server semantics of CONNECT Roy T. Fielding
- Re: [hybi] Different server semantics of CONNECT Maciej Stachowiak
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Maciej Stachowiak
- Re: [hybi] Different server semantics of CONNECT Roy T. Fielding
- Re: [hybi] Different server semantics of CONNECT Thomson, Martin
- Re: [hybi] Different server semantics of CONNECT Thomson, Martin
- Re: [hybi] Different server semantics of CONNECT Ian Fette (イアンフェッティ)
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- Re: [hybi] Different server semantics of CONNECT Martin J. Dürst
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Ian Fette (イアンフェッティ)
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Pat McManus @Mozilla
- Re: [hybi] Different server semantics of CONNECT Bjoern Hoehrmann
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- Re: [hybi] Different server semantics of CONNECT Roberto Peon
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT Roberto Peon
- Re: [hybi] Different server semantics of CONNECT Maciej Stachowiak
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT Bjoern Hoehrmann
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT Bjoern Hoehrmann
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Eric Rescorla
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Maciej Stachowiak
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins
- Re: [hybi] Different server semantics of CONNECT Maciej Stachowiak
- Re: [hybi] Different server semantics of CONNECT Zhong Yu
- Re: [hybi] Different server semantics of CONNECT Henrik Frystyk Nielsen
- Re: [hybi] Different server semantics of CONNECT John Tamplin
- Re: [hybi] Different server semantics of CONNECT Bjoern Hoehrmann
- Re: [hybi] Different server semantics of CONNECT Greg Wilkins