W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: [hybi] workability (or otherwise) of HTTP upgrade

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 7 Dec 2010 08:25:17 +0100
To: Adrien de Croy <adrien@qbik.com>
Cc: Mark Nottingham <mnot@mnot.net>, Maciej Stachowiak <mjs@apple.com>, hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20101207072517.GP19364@1wt.eu>
On Tue, Dec 07, 2010 at 07:42:47PM +1300, Adrien de Croy wrote:
> 
> from a proxy / firewall vendor perspective, overloading yet more 
> functionality over port 80 CONNECT is something that will simply cause 
> us more work, and require us to put more resources into dealing with the 
> sort of requests made by CONNECT.
> 
> It's bad enough already having malware use CONNECT, so you have to lock 
> it down.
> 
> Trying to distinguish legitimate use from undesired use gets more 
> difficult the more you put over this.
> 
> It means you pretty much need to put a firewall and protocol sniffing on 
> top of your tunneled connections.
> 
> So, where does this lead?  Everyone starts using port 80 for everything, 
> and in the end port 80 will be where TCP is now.  Highly restricted.

There's a difference between port filtering and protocol filtering though.
Port filtering brings nowhere without protocol filtering. Right now I'm
used to SSH home on port 443 from various places. So a port means nothing.
Also, there's a reason CONNECT is used a lot : it's supposed to be a blind
tunnel which is not easy to filter. Port 80 has clear defined semantics
and only HTTP passes into it. If we use an Upgrade-based method instead
of a CONNECT-based method, it is perfectly possible to build filtering
proxies which will consider the Upgrade header and ensure that the upgraded
protocol really matches WS framing. The CONNECT does not define the upgraded
protocol, reason why it's harder to filter on it.

In fact, I'd say that the more ports we open, the more complex rules we
have in the end because we already know that many protocol-port combinations
will have to be filtered anyway.

In fact if HTTPS made use of Upgrade instead of CONNECT, we would not have
the current mess with malware or SSH abusing CONNECT.

Regards,
Willy
Received on Tuesday, 7 December 2010 07:26:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:33 GMT