IETF Logo Mail Archive

Re: [websec] #60: Well Known URIs vs Response Headers

Yoav Nir <ynir@checkpoint.com> Wed, 07 August 2013 06:28 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 483F021E8050 for <websec@ietfa.amsl.com>; Tue, 6 Aug 2013 23:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.509
X-Spam-Level:
X-Spam-Status: No, score=-10.509 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id clNhQdEHLwJ1 for <websec@ietfa.amsl.com>; Tue, 6 Aug 2013 23:28:27 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id CD8BE21E8051 for <websec@ietf.org>; Tue, 6 Aug 2013 23:28:26 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r776SO7i032044; Wed, 7 Aug 2013 09:28:24 +0300
X-CheckPoint: {5201E908-17-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Wed, 7 Aug 2013 09:28:23 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: "<ryan-ietfhasmat@sleevi.com>" <ryan-ietfhasmat@sleevi.com>
Thread-Topic: [websec] #60: Well Known URIs vs Response Headers
Thread-Index: AQHOjJuYwSHLWJ6FxEGQqE9b5vLwWJl77USAgAD8uoCAAiUAAIAAx7yAgAAImACAAAPjgIAAeIGAgACNhwCAAu1zgIACbX6AgAF0g4CAALuPgIAAHoKAgACQWgA=
Date: Wed, 07 Aug 2013 06:28:22 +0000
Message-ID: <282DF116-E908-4C7E-8387-A7E69E1C0848@checkpoint.com>
References: <060.e0f8fef9b2d28177be54bca787fadd87@trac.tools.ietf.org> <FA4BC0F4-EEEB-485B-BF8E-A326F6BA86AE@checkpoint.com> <C68CB012D9182D408CED7B884F441D4D3472734AF4@nambxv01a.corp.adobe.com> <32D5F3CB-E742-4A9F-94A9-01B8224F9C49@checkpoint.com> <51FA1C35.1090005@mozilla.org> <4B4A645A-793F-4276-96BF-FBA5BA740632@checkpoint.com> <51FA26AD.2020405@gondrom.org> <CAOuvq206UHumfA3kJ8xc0Eb0hapt2G4FYvkgRwVEfrh3tqRrQQ@mail.gmail.com> <CAGZ8ZG3CTkwJzx2wz+60fmLK6CFHdazFbntLzBFFMMh-r++scw@mail.gmail.com> <CAOe4Ui=kVFbQUBuAS6t_Qu4h3LgBiDegtnKkfRnE=oz2gw+6hA@mail.gmail.com> <0C788DC3-4C7F-47D4-B0A6-54E94FC5EAD0@checkpoint.com> <CAGZ8ZG3j__s6mDTkuX9PBb65acEk-T4X9fwjnGVJ-o5jXqPwOQ@mail.gmail.com> <CAGZ8ZG0u1A_X2x8gU-rQGzwt3SMR3XPgwX5Y5YVW6bV93Tw8Lw@mail.gmail.com> <be2c7fd9605147d5e6d8695950a09c35.squirrel@webmail.dreamhost.com>
In-Reply-To: <be2c7fd9605147d5e6d8695950a09c35.squirrel@webmail.dreamhost.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.54]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 116a3526a41b602533b32dc5ec520a0df22a32457c
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <419D1575F0C5E64E872FE97CFAE1A7AA@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] #60: Well Known URIs vs Response Headers
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 06:28:32 -0000

[no hats]

On Aug 7, 2013, at 12:51 AM, Ryan Sleevi <ryan-ietfhasmat@sleevi.com> wrote:
> 
> 
> In an HTTP/2.0 world, where 'everything' is multiplexed over a single
> logical connection, I would heartily agree that this is less of a concern.
> But in an HTTP/1.0 and HTTP/1.1 world - which will still be here for a
> while - it's a very real concern.

Both ideas get better with HTTP/2.0. the WK URI can be always requested with lowest priority, so it doesn't interfere with loading the web page. And header bloat does not matter that much if the header is included only once per TCP connection.

> For those not familiar with these concerns from the browser/user-agent
> perspective, at the risk of promotion I'd suggest checking out my
> colleague Ilya Grigorik's (presently available free) book "High
> Performance Browser Networking" (
> http://chimera.labs.oreilly.com/books/1230000000545 ), in particular the
> lessons learned, user metrics gained, and graphs discussed in chapters
> 9-13.
> 
> That's not to say that Well-Known URIs are not extremely tempting, for
> some of the reasons already expressed by Joe and Trevor, but I think it
> may be missed some of the downsides that are not necessarily present in
> the current header-based approach.
> 
> In our mind, one of the biggest factors has been "What are the hurdles to
> practical deployment?". While there is admittedly complexity from the
> header approach, it's our view that it's not greater than the inherent
> complexity of effective pinning, as enumerated in the existing
> considerations. The complexity of an efficient and reasonable
> implementation of well-known URIs, or of a practical deployment of server
> extensions, seems to greatly outweigh both, and the benefits are not as
> seemingly significant.

+1

Yoav

v2.23.0 | Report a Bug | By Email