Re: #250 / #251 (connect bodies) from Mark Nottingham on 2010-10-28 (ietf-http-wg@w3.org from October to December 2010)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 28 Oct 2010 17:13:40 +1100
To: Adam Barth <w3c@adambarth.com>
Cc: Willy Tarreau <w@1wt.eu>, Julian Reschke <julian.reschke@gmx.de>, Adrien de Croy <adrien@qbik.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <5EDB04F2-E29D-4CA5-9E48-E0075DE9CD5E@mnot.net>

Use something other than port 80, since you're not speaking HTTP?

But I digress; that's a discussion to be had when / if WebSockets goes to IETF Last Call. Back to the topic at hand: 

What property are you looking for out of using the CONNECT method to the server that rules out other methods?

What specific security vulnerabilities are raised by using Upgrade (a useful discussion to be had in any case)?

Regards,


On 28/10/2010, at 5:07 PM, Adam Barth wrote:

> That's true, but we don't know of any non-TLS WebSocket handshake that
> connects more than about half the time.  If you want to reliably
> connect to the server, you need to use TLS.
> 
> Adam
> 
> 
> On Wed, Oct 27, 2010 at 11:04 PM, Mark Nottingham <mnot@mnot.net> wrote:
>> Intermediaries that aren't expecting CONNECT are just as likely to ignore it (i.e., many, but not all, will error out, whereas the rest will pass it through). E.g., try CONNECTing to Squid running as a transparent proxy, or against a L7 load balancer, or...
>> 
>> Cheers,
>> 
>> 
>> On 28/10/2010, at 4:59 PM, Adam Barth wrote:
>> 
>>> On Wed, Oct 27, 2010 at 10:53 PM, Mark Nottingham <mnot@mnot.net> wrote:
>>>> On 28/10/2010, at 4:48 PM, Willy Tarreau wrote:
>>>>> On Thu, Oct 28, 2010 at 02:14:53PM +1100, Mark Nottingham wrote:
>>>>>> Because CONNECT is for establishing a connection to a proxy, not a gateway (which is what you're doing).
>>>>> 
>>>>> That's true but the semantics of the CONNECT method is the closest to what we
>>>>> need in WebSocket. After all, we're negociating a bidirectionnal tunnel between
>>>>> the browser and the application through the HTTP infrastructure.
>>>> 
>>>> This is neither horseshoes nor hand grenades. CONNECT is unique (and badly designed, as a method) because it doesn't go through, it terminates at the proxy. Sending a CONNECT to an origin server makes no sense, and is likely to be blocked by all sorts of infrastructure.
>>>> 
>>>> You'd be better off using Upgrade, which is very much designed for this use case.
>>> 
>>> Unfortunately using Upgrade for WebSockets causes security
>>> vulnerabilities because many intermediaries don't understand its
>>> semantics and ignore it.  On the other hand, CONNECT is widely used
>>> and has the behavior we want.
>>> 
>>> Adam
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
>> 
>> 

--
Mark Nottingham   http://www.mnot.net/

Received on Thursday, 28 October 2010 06:14:12 UTC