- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Thu, 14 Nov 2013 20:44:49 +0100
- To: "Patrick McManus" <pmcmanus@mozilla.com>
- Cc: "Zhong Yu" <zhong.j.yu@gmail.com>, "Roberto Peon" <grmocg@gmail.com>, "Frédéric Kayser" <f.kayser@free.fr>, "HTTP Working Group" <ietf-http-wg@w3.org>
Le Jeu 14 novembre 2013 18:34, Patrick McManus a écrit : > On Thu, Nov 14, 2013 at 12:13 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote: > >> >> If that's the case, WebSocket is also "undeployable" since it tunnels >> though port 80 as well. >> >> > that's right. The failure rate of cleartext websockets is much higher than > SSL wss:// websockets. (the failure rate is almost twice as large in > firefox). That's a significant part of the driver here. Websockets made a > mistake by even specifying cleartext. I was there and I've learned that > lesson. Yep, sure, people deployed all kinds of firewalls to forbid protocols they didn't trust. Here comes a web developer that says "you dummies, just push your untrusted protocol on port 80 in the browser I know the security guys let this pass". And the result gets blocked. Big surprise. And http/2 will get blocked too if it uses tls to workaround security blocks (not that https is not *that* close to being blocked now that people have used it right and left to bypass security restrictions; the one good thing about MITM TLS is that it kills such protocol abuses). I'm astounded anyone is even surprised firewall operators fight "enhancements" consisting in blowing holes in firewalls. I'm astounded anyone thinks being sneakier will endear it to those operators. Is the workgroup charter to improve the http protocol (a safe protocol that is widely allowed because of its simplicity, lack of side-effects, and inspectbility) or is its sole aim to fight security equipments in all possible ways by creating a blackhole monster? Because sometimes I really wonder… -- Nicolas Mailhot
Received on Thursday, 14 November 2013 19:45:20 UTC