Re: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
Greg Wilkins <gregw@intalio.com> Tue, 12 July 2011 02:09 UTC
Return-Path: <gregw@intalio.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8342421F8FFC for <ietf@ietfa.amsl.com>; Mon, 11 Jul 2011 19:09:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.656
X-Spam-Level:
X-Spam-Status: No, score=-2.656 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gRA+kmtv79q for <ietf@ietfa.amsl.com>; Mon, 11 Jul 2011 19:09:00 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 88D6A21F8FFA for <ietf@ietf.org>; Mon, 11 Jul 2011 19:09:00 -0700 (PDT)
Received: by vxi40 with SMTP id 40so4645805vxi.31 for <ietf@ietf.org>; Mon, 11 Jul 2011 19:09:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.170.205 with SMTP id ao13mr2952879vdc.509.1310436539824; Mon, 11 Jul 2011 19:08:59 -0700 (PDT)
Received: by 10.52.115.103 with HTTP; Mon, 11 Jul 2011 19:08:59 -0700 (PDT)
Date: Tue, 12 Jul 2011 12:08:59 +1000
Message-ID: <CAH_y2NF0hH+bBQ6Nkr5HueP45DG-xOKAJ+aWa_c4fcCibbQA-g@mail.gmail.com>
Subject: Re: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
From: Greg Wilkins <gregw@intalio.com>
To: ietf@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Tue, 12 Jul 2011 08:06:28 -0700
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2011 02:09:01 -0000
For the benefit of the wider ietf@ietf.org audience, I'd like to summaries an unresolved issue from the Hybi WG with the websocket draft protocol. Draft 10 if this document contains the "deflate-stream" extension in section 9.2.1 This extension does not comply with any of the anticipated uses of extensions listed in section 4.8, at best this makes it a poor exemplar of an extension, as worst it makes it an unexpected total change to the framing seen on the wire. Because the extension changes the framing of bytes on the wire, this will force all tools and intermediaries that wish to observe the frame boundaries, to implement this extension, making it non optional. For example, intermediaries that do not implement this extension will be unable to buffer/forward on frame boundaries. Because default-stream is applied after the masking of client sent frames, it is highly inefficient, with little or no compression being achieved due to the random masking keys and the masking of any regular patterns in the payload. The intent of masking was to prevent bytes sent on the wire being being controlled by an attacker. However, a security concern has been raised that the predictability of the deflate algorithm to convert byte patterns into shorter bit sequences may allow a payload to be crafted that would predictably produce bytes on the wire regardless of the masking applied. A reasonable alternative has been proposed that does not apply deflation to the stream. Rather it applies it only to the application data before masking, while keeping the compression dictionary between frames. This alternative proposal is a good exemplar extension (in line with 4.8), provides efficient compression and does not suffer from the security concern raised. Since draft -7, there have been many voices in the WG calling for the withdrawal of deflate-stream and nobody has spoken in favour of the retention of deflate-stream on any grounds other than it is already implemented/deployed. I fail to understand why a non essential feature that was put into draft-3 without discussion or consensus, that has demonstrable deficiencies, security concerns and vocal opponents has been left in the draft all the way to final call? regards Greg Wilkins
- Re: Last Call: <draft-ietf-hybi-thewebsocketproto… Julian Reschke
- Re: Last Call: <draft-ietf-hybi-thewebsocketproto… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: Last Call: <draft-ietf-hybi-thewebsocketproto… Greg Wilkins
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Francis Brosnan Blazquez
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Greg Wilkins
- RE: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Len Holgate
- RE: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Len Holgate
- RE: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Francis Brosnan Blazquez
- RE: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Len Holgate
- RE: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Francis Brosnan Blazquez
- RE: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Len Holgate
- HTTP header field and upgrade token definitions, … Julian Reschke
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Francis Brosnan Blazquez
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mykyta Yevstifeyev
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Keith Moore
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Keith Moore
- SRV and http(s) (was Re: [hybi] Last Call: <draft… Masataka Ohta
- Re: SRV and http(s) (was Re: [hybi] Last Call: <d… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: SRV and http(s) (was Re: [hybi] Last Call: <d… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Scott Schmit
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Scott Schmit
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Roy T. Fielding
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dean Willis
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Philippe Bernard
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Bruce Atherton
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Hector Santos
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Bruce Atherton
- RE: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Gabriel Montenegro
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Greg Wilkins
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Endicott
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Ted Hardie
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Keith Moore
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Alexey Melnikov
- DNS, IPV6 amadou ouabanaize sidi ali
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Roy T. Fielding
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Roy T. Fielding
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Bjoern Hoehrmann
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… David Conrad
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Keith Moore
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Keith Moore
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Masataka Ohta
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Dave Cridland
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Martin Rex
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Martin Rex
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Mark Andrews
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Philip Homburg
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Roy T. Fielding
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Hector
- Re: [hybi] Last Call: <draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- IESG note?, was: [hybi] Last Call: <draft-ietf-hy… Julian Reschke
- Re: IESG note?, was: [hybi] Last Call: <draft-iet… Julian Reschke
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Roy T. Fielding
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Joel Martin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Joel Martin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Sylvain Hellegouarch
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Joel Martin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Sylvain Hellegouarch
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Julian Reschke
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Peter Saint-Andre
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Richard L. Barnes
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Roy T. Fielding
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Stephen Farrell
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Richard L. Barnes
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Stephen Farrell
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau
- RE: [hybi] IESG note?, was: Last Call: <draft-iet… Gabriel Montenegro
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… John Tamplin
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Peter Saint-Andre
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Anshuman Pratap Chaudhary
- Re: [hybi] IESG note?, was: Last Call: <draft-iet… Willy Tarreau