Re: Moving forward on improving HTTP's security from ??? on 2013-11-14 (ietf-http-wg@w3.org from October to December 2013)

From: ??? <willchan@chromium.org>
Date: Thu, 14 Nov 2013 10:01:42 -0800
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, Roberto Peon <grmocg@gmail.com>, Frédéric Kayser <f.kayser@free.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAA4WUYh0njsyU5xFRr3xo9M=QZ9tbXf-2fvgMGKVw6AXtF-61g@mail.gmail.com>

Unreliable deployability over port 80 in the open web is well known. See
web devs talking about how to deploy WebSockets:
https://speakerdeck.com/3rdeden/websuckets?slide=42. See Google's
websockets experiment:
http://www.ietf.org/mail-archive/web/tls/current/msg05593.html. I could
pull up more examples, but you probably get the picture by now. No major
service that operates on the open web *currently* deploys WebSockets over
port 80.

If you need reliable deployment over the open web, then port 80 cleartext
is not acceptable. Period. But if you're OK with double-digit failure rates
(maybe that'll go down to single digit in some future world where HTTP/2
has much wider deployment), then it's fine to deploy HTTP/2 for your
service over port 80 cleartext. But large services generally aren't going
to do this, because such high failure rates leads to lots of lost business.

Private networks are a completely different matter of course.

On Thu, Nov 14, 2013 at 9:46 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:

> On Thu, Nov 14, 2013 at 11:34 AM, Patrick McManus <pmcmanus@mozilla.com>
> wrote:
> >
> > On Thu, Nov 14, 2013 at 12:13 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> >>
> >>
> >> If that's the case, WebSocket is also "undeployable" since it tunnels
> >> though port 80 as well.
> >>
> >
> > that's right. The failure rate of cleartext websockets is much higher
> than
> > SSL wss:// websockets. (the failure rate is almost twice as large in
> > firefox). That's a significant part of the driver here. Websockets made a
> > mistake by even specifying cleartext. I was there and I've learned that
> > lesson.
>
> Would it have been a bigger mistake if WebSocket only works on secure
> channel? Would that encourage or discourage the deployment of
> WebSocket? I think it would definitely have been a deterrent.
>
> In the current scheme, the service provide can try ws:// first. It
> might work very satisfactorily (e.g. if most users connect from home
> computers). If it does not, the service provider can upgrade to wss://
> without too much hassle.
>
> >
> > cleartext just doesn't work as, roberto keeps saying.
>
> Aren't websocket frames masked with random bits?
>
> >
> > The only question in my mind is whether or not to require a real
> > PKI-as-we-know-it authenticated cert. That has tradeoffs - but at least
> we
> > expect it would operate.
> >
>
>

Received on Thursday, 14 November 2013 18:02:10 UTC