W3C home > Mailing lists > Public > www-tag@w3.org > September 2011

Re: TAG work on SPDY

From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: Sun, 25 Sep 2011 18:12:47 -0400
Message-ID: <4E7FA75F.9040404@arcanedomain.com>
To: Jonathan Rees <jar@creativecommons.org>
CC: Jeni Tennison <jeni@jenitennison.com>, "www-tag@w3.org List" <www-tag@w3.org>, Jim Gettys <jg@freedesktop.org>

On 9/25/2011 11:33 AM, Jonathan Rees wrote:
> Caching and security do seem to be at odds. A similar situation is
> CSRF defense using nonces, which breaks cachability of HTML forms.
>
> There are probably architectural solutions to these conflicts. I don't
> know what they are, although I could probably make something up.

My concern with this is that SPDY is introduced primarily for performance, 
but as far as I can tell uses SSL unconditionally. Thus, even information 
that would otherwise not require protection might be less easily cached. 
So, there's a risk, I think, that the on-the-wire performance of a 
particular retrieval would in certain cases be traded for increased load on 
an origin server, and perhaps increased aggregate network traffic, as more 
copies are sourced directly from the origin.

I should emphasize that I'm just speculating that there might be an impact 
on cacheing, and I'd be happy to hear from those who know more about SPDY 
that there is no problem.

> Architecturally the important thing is the interface or contract, not
> choice of implementation (protocol). To answer this question we'd need
> to know what requirements HTTP meets, and then see if SPDY meets them
> too. (I think I'm repeating Roy's "http: is not HTTP" slogan here.
> According to the specs at least, http-scheme URIs aren't tied to the
> HTTP protocol, and the HTTP protocol is not limited to http-scheme
> URIs.)

Long ago when the TAG was discussing my (as yet unsucessful) attempts to 
formalize the relationship between schemes and protocols, it was pointed 
out that the naming contract for http-scheme resources is somewhat 
different than for https. That is, when you retrieve an https-named 
resource part of the contract is that certificates will be checked as part 
of the name resolution. That's not in general true of otherwise similar 
http-named resources.

So, if the switch were being done in the other direction we would be highly 
suspicious: resolving an https URI without checking certs is inapproriate. 
SPDY goes the other way, with at least some consideration to using SSL (and 
thus, I presume, certs?) for http URIs. This seems like a safer switch, but 
it really is a change of contract.  Today, access to my http-named 
resources cannot fail due to certificate problems, and it seems there's 
consideration of changing that.

I'm not offering an early opinion as to whether that's bad, merely that it 
needs careful thought. Also: my impression is that SPDY is mostly used with 
https-named resources anyway, but I did see something somewhere about 
automatically switching to HTTPS even for http URIs.

Noah
Received on Sunday, 25 September 2011 22:13:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:39 GMT