IETF Logo Mail Archive

Re: [hybi] Moving to a CONNECT-based handshake

Greg Wilkins <gregw@webtide.com> Wed, 01 December 2010 05:41 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9A8E3A6CD3 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 21:41:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.264
X-Spam-Level:
X-Spam-Status: No, score=-2.264 tagged_above=-999 required=5 tests=[AWL=0.712, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G189AkSff9I8 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 21:41:45 -0800 (PST)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 03D173A6CDD for <hybi@ietf.org>; Tue, 30 Nov 2010 21:41:44 -0800 (PST)
Received: by qyk11 with SMTP id 11so7016830qyk.10 for <hybi@ietf.org>; Tue, 30 Nov 2010 21:42:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.224.174.8 with SMTP id r8mr7304775qaz.332.1291182176798; Tue, 30 Nov 2010 21:42:56 -0800 (PST)
Sender: gregw@intalio.com
Received: by 10.220.167.203 with HTTP; Tue, 30 Nov 2010 21:42:56 -0800 (PST)
In-Reply-To: <AANLkTi=u_1j8tHUaL5V_xmuCWvxZUw3a=Yof5ySjHemj@mail.gmail.com>
References: <op.vmzqkhszidj3kv@simon-pieterss-macbook.local> <4CF52558.9010100@gmx.de> <4CF529FF.9080708@opera.com> <BB31C4AB95A70042A256109D4619912605790150@XCH117CNC.rim.net> <AANLkTimzTvtho0m9HZSe6exgSwZxbCnxtmeJd2-G0aSK@mail.gmail.com> <BB31C4AB95A70042A256109D4619912605790178@XCH117CNC.rim.net> <BB31C4AB95A70042A256109D4619912605790190@XCH117CNC.rim.net> <AANLkTimQJz22RtoVnB16C8Mi4C8=QKB946wSR9BRsP85@mail.gmail.com> <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com> <0FB073DB-9435-4DD6-8E7C-CD04DE75A104@webex.co> <AANLkTi=u_1j8tHUaL5V_xmuCWvxZUw3a=Yof5ySjHemj@mail.gmail.com>
Date: Wed, 01 Dec 2010 05:42:56 +0000
X-Google-Sender-Auth: 6stusXgZacoE-YV1o5e8E6i_U4c
Message-ID: <AANLkTikG0Y1GfuqBAsk=2U2k4FHN7LuztKOwWJ9bLnO9@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: John Tamplin <jat@google.com>
Content-Type: multipart/alternative; boundary="00248c1767b4fd06af049652c660"
Cc: Joe Hildebrand <Joe.Hildebrand@webex.com>, hybi@ietf.org
Subject: Re: [hybi] Moving to a CONNECT-based handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 05:41:49 -0000

On 30 November 2010 19:52, John Tamplin <jat@google.com> wrote:

> On Tue, Nov 30, 2010 at 2:42 PM, Joe Hildebrand
> <Joe.Hildebrand@webex.com> wrote:
> > That's been suggested in the past, and likely won't get us to consensus
> > quicker.
>
> In the past, we didn't have a demonstrated attack on the Upgrade
> handshake, which is why I thought it might be worth bringing up.
>
>
We still don't have a demonstrated attack on the Upgrade handshake.
We have a demonstrated attack on something a little bit like the Upgrade
handshake, but is essentially just sening two HTTP requests in a row, the
first with upgrade headers and then being amazed that some intermediaries
that ignore upgrade are seeing the second HTTP request.

I really do not like how this discussion is being conducted, as two many
concerns are being mixed together.

It may well be that CONNECT is better than Upgrade, but that does not mean
that we should be sending bogus host information.

It may well be that encrypting host information is necessary, but that does
not mean that we need to use CONNECT.

The two proposals should be considered separately.  We got into this
handshake mess in the first place by "accepting" a bunch of changes as a
batch when we only had concensus on a few aspects.

v2.23.0 | Report a Bug | By Email