IETF Logo Mail Archive

Re: [hybi] Different server semantics of CONNECT

Greg Wilkins <gregw@intalio.com> Tue, 07 December 2010 07:55 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1F653A6939 for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 23:55:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.39
X-Spam-Level:
X-Spam-Status: No, score=-2.39 tagged_above=-999 required=5 tests=[AWL=-0.013, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsfg-nMCvvR2 for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 23:55:24 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 0386D28C105 for <hybi@ietf.org>; Mon, 6 Dec 2010 23:54:38 -0800 (PST)
Received: by qwg5 with SMTP id 5so12279559qwg.31 for <hybi@ietf.org>; Mon, 06 Dec 2010 23:56:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.121.220 with SMTP id i28mr1837940vcr.46.1291708563138; Mon, 06 Dec 2010 23:56:03 -0800 (PST)
Received: by 10.220.167.203 with HTTP; Mon, 6 Dec 2010 23:56:02 -0800 (PST)
In-Reply-To: <AANLkTikw+RUNrJQoE13Jm6zkesf8AZ1JZmQdMC7wZDqQ@mail.gmail.com>
References: <AANLkTi=5Z+PhCSmgNAd5_JcLYxR1rBQX=sbTT3qEwW-W@mail.gmail.com> <49B71D64-9B5D-40DB-B823-1552C56D19E5@gbiv.com> <F1D6C4CA564CA347B3B9EB54BEA5AD7C0C942729@TK5EX14MBXC212.redmond.corp.microsoft.com> <AANLkTikw+RUNrJQoE13Jm6zkesf8AZ1JZmQdMC7wZDqQ@mail.gmail.com>
Date: Tue, 07 Dec 2010 08:56:02 +0100
Message-ID: <AANLkTik1wABExg=piVy9zpYWWu=7cUiLiMf7kW8urWRo@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: John Tamplin <jat@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Hybi <hybi@ietf.org>
Subject: Re: [hybi] Different server semantics of CONNECT
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 07:55:26 -0000

On 7 December 2010 01:47, John Tamplin <jat@google.com> wrote:
> It seems that those so fundamentally opposed to using CONNECT are
> setting up a no-win situation.  If we can't use GET+Upgrade because
> real-world implementations never bothered to implement it because it
> wasn't actually used, and we can't use CONNECT because it is deemed to
> be in violation of the HTTP spec, then where does that leave us?  We
> can use a dedicated port, in which case WebSockets will not be usable
> in the near future for anyone behind a configured proxy (ie, most
> corporate environments and some home ones), ....


John,

I do mostly agree with you that definition of acceptable use of
CONNECT and the definition of "proxy" is being a little strictly
applied.

However, I don't agree being pushed to use a dedicated port will make
websocket less usable.    Consider the following experiment from the
Chrome team:

  http://www.ietf.org/mail-archive/web/tls/current/msg05593.html

whose results (from a small self selected sample) were:

  "The experiment tries to perform a trival WebSockets transaction over
   HTTP, over HTTP on a random, high numbered port (61985) and over
   HTTPS. This experiment is run via Chrome for users who have opted in.
   These are normal requests in the Chrome network stack and so will use
   any configured proxies.

   Excluding users that couldn't even do basic a HTTP transaction over
   the transport layer (6.37%, 10.15% and 7.91%, respectively), the
   success rates are:
       HTTP (port 80)      67%
       HTTP (port 61985)   86%
       HTTPS (port 443)    95%

   This results in overall sucess rates of 63%, 77% and 87%, respectively."

Thus a dedicated high port is going to have a success rate of 70-80%
I don't think that either CONNECT or GET+Upgrade handshakes are
claiming any significantly higher success rates.

Let's say we got permission to go crazy with the cheeze whiz and
change HTTP in any way that we liked, we are still looking at > 10%
that cannot establish a websocket connection over port 80.   Even port
443 is far from perfect.

All our proposed solutions suffer from connectivity issues - and I
don't think that it is the fault of strict application of the HTTP
specification.

We are beating ourselves up here saying: "your solutions is not
perfect" - "no your solution is not perfect" etc.   If we grind this
out to some kind of rough consensus on either connect or upgrade, we
are still going to have something that is not provably secure and will
fail in >10-20% of cases.

A dedicated port is going to give us
  + the same order of magnitude of success.
  + a much clearer security story.
  + a simpler argument to intermediary venders to support WS
  + the option of using a CONNECT handshake on port 80 to connect to it.

cheers

v2.23.0 | Report a Bug | By Email