Re: [hybi] IESG note?, was: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard

"Roy T. Fielding" <> Sat, 03 September 2011 17:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3229421F84CF; Sat, 3 Sep 2011 10:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -105.471
X-Spam-Status: No, score=-105.471 tagged_above=-999 required=5 tests=[AWL=-2.872, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GIrnbewwW8x1; Sat, 3 Sep 2011 10:01:39 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 613D221F8509; Sat, 3 Sep 2011 10:01:39 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 5532D1F0081; Sat, 3 Sep 2011 10:03:18 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to; q=dns;; b=aP9lwsMGFkj+dP8Y zMmP0n9uIwFRgIw15NGvvhficwC1Gocla3UoPzAIBAsTCL+XGF5IfqKNGC+w0d20 ykxwbDRvF9EzLX7O84CLa6koM0hbIypXGdjavTX0RT3CP+0+31arWJLcqfLcRnB0 3ggmhlRfWRyO3d3l2QhErWuqrHc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to;; bh=lykkAYabPfApXRH/uWARmtIAeZw=; b=S0F/vma8pWYUslQasziCG3DIJzDx q10+tV21AcPG07TH5aXWR+LjGTLEFhhxOItvz/E4w7gkp2Wl6vOphAMBghHwZRLe 37N5VmrLGGNgOwTa6osJd/uG8yg5ZW2AGz1B88bNo2KtlB1sOujGC3xJIbXbnZbp t6LsnBaYxTfMdjg=
Received: from [] ( []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 0074E1F0078; Sat, 3 Sep 2011 10:03:17 -0700 (PDT)
Subject: Re: [hybi] IESG note?, was: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: "Roy T. Fielding" <>
In-Reply-To: <>
Date: Sat, 3 Sep 2011 10:03:17 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <>
References: <> <> <> <>
To: Julian Reschke <>
X-Mailer: Apple Mail (2.1084)
Cc: Server-Initiated HTTP <>,,
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 03 Sep 2011 17:01:40 -0000

I don't know if this is a cultural issue or not, but neither of those
changes is an improvement, nor should they be any less offensive.
Convoluted and inefficient describes the hashing algorithm in the
least offensive way possible -- "complex" doesn't say anything.
There are a lot of complex algorithms (e.g., TLS) that are
necessarily so.

And I gave the sole reason the WG has for using those ports -- I don't
want people to imagine there might be any other (sane, unselfish, etc.)

Besides, what I wrote is entirely factual -- the offensive version
would have melted your LCD.


On Sep 3, 2011, at 6:17 AM, Julian Reschke wrote:

> On 2011-09-03 12:54, Julian Reschke wrote:
>> Hi,
>> I believe that almost everything Roy says below is non-controversial; if
>> we can tune the language to be less offensive it might fit well into the
>> Introduction (and not require an IESG Note to get into the document).
>> Best regards, Julian
>> ...
> Like that...:
>   The WebSocket protocol is designed with an assumption that
>   TCP port 80 or 443 will be used for the sake of tunneling raw
>   socket exchanges over HTTP.  The result is a convoluted and
>   inefficient exchange of hashed data for the sake of bypassing
> s/convoluted and inefficient/complex/
>   intermediaries that may be routing, authenticating, filtering,
>   or verifying traffic on those ports.  The sole reason for using
> s/sole//
>   ports 80 and 443, and hence requiring the hashed data exchange,
>   is because many organizations use TCP port blocking at firewalls
>   to prevent unexpected network traffic, but allow the HTTP ports
>   to remain open because they are expected to be used for normal
>   Web request traffic.  WebSocket deliberately bypasses network
>   management constraints in order to enable Web application
>   developers to send arbitrary data though a trusted port.
>   Naturally, the WebSocket protocol does not have the same network
>   characteristics as HTTP.  The messages exchanged are likely to
>   be smaller, more interactive, and delivered asynchronously over
>   a long-lived connection.  Unfortunately, those are the same
>   characteristics of typical denial-of-service attacks over HTTP.
>   Organizations deploying WebSockets should be aware that existing
>   network equipment or software monitoring on those ports may need
>   to be updated or replaced.
> Best regards, Julian
> _______________________________________________
> hybi mailing list