W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [hybi] workability (or otherwise) of HTTP upgrade

From: Adrien de Croy <adrien@qbik.com>
Date: Tue, 07 Dec 2010 19:42:47 +1300
Message-ID: <4CFDD767.2080507@qbik.com>
To: Willy Tarreau <w@1wt.eu>
CC: Mark Nottingham <mnot@mnot.net>, Maciej Stachowiak <mjs@apple.com>, hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>

from a proxy / firewall vendor perspective, overloading yet more 
functionality over port 80 CONNECT is something that will simply cause 
us more work, and require us to put more resources into dealing with the 
sort of requests made by CONNECT.

It's bad enough already having malware use CONNECT, so you have to lock 
it down.

Trying to distinguish legitimate use from undesired use gets more 
difficult the more you put over this.

It means you pretty much need to put a firewall and protocol sniffing on 
top of your tunneled connections.

So, where does this lead?  Everyone starts using port 80 for everything, 
and in the end port 80 will be where TCP is now.  Highly restricted.

Except for the additional overhead and complexity = bugs, worse 
performance and security problems.

Maybe we need to stop and think about why the other ports are blocked, 
which compels us to try and circumvent company policy by looking for 
back-door ways to get connectivity.

Mark's comments about an arms-race are spot on.

Whilst you may get good odds of a successful connection now, wait a few 
years when people start locking CONNECT down and it will likely be no 
better than TCP on a different port is now.  Except coaching customers 
to lock down CONNECT is a PITN.

Cheers

Adrien


On 7/12/2010 7:10 p.m., Willy Tarreau wrote:
> On Tue, Dec 07, 2010 at 01:13:28PM +1100, Mark Nottingham wrote:
>> On 07/12/2010, at 12:30 PM, Maciej Stachowiak wrote:
>>
>>> On Dec 6, 2010, at 4:53 PM, Mark Nottingham wrote:
>>>
>>>> I don't think that's the relevant aspect here. "Another port" could be port 80 or port 443 (nasty, and you wouldn't make it the default, but I think you see where I'm going).
>>>>
>>>> The question is why it's necessary to run both HTTP and WebSockets traffic over the *same* port simultaneously -- something that AFAICT is taken as axiomatic, and I'm really wondering why.
>>> Web developers will likely want to operate both a WebSocket service and an HTTP service on the same server, since WebSocket services are likely to be most useful in combination with a Web application that makes use of them. At the same time, they will want their WebSocket traffic to go through firewalls properly. It would be a significant burden if a WebSocket service required a separate domain name, physical or virtual server, and possibly SSL cert.
>>>
>>> Thus desire to have a single piece of server software that can dispatch connects to HTTP applications or Web applications as appropriate.
>> You don't need a different domain name, hardware, OS instance or certificate to listen to a different port, and if you have a wildcard SSL cert, you can use the same cert for the same port number on two different hosts.
> In my opinion the problem is not here, but the adoption rate depending
> on the port. Many organisations implement URL filtering on port 80,
> white-list based filtering on 443 and nothing else around. If you want
> to deploy a site which quickly gets a lot of traffic, port 80 clearly
> is the most suited, which is even more true considering that long polling
> mechanisms already work over that port.
>
> Also, being able to switch from HTTP to WS over a same socket for some
> services can save one round trip, but that's marginal in most situations,
> except from mobile phones.
>
> Regards,
> Willy
>
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Tuesday, 7 December 2010 06:43:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:33 GMT