Re: Moving forward on improving HTTP's security

Le Jeu 14 novembre 2013 18:34, Patrick McManus a écrit :
> On Thu, Nov 14, 2013 at 12:13 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
>
>>
>> If that's the case, WebSocket is also "undeployable" since it tunnels
>> though port 80 as well.
>>
>>
> that's right. The failure rate of cleartext websockets is much higher than
> SSL wss:// websockets. (the failure rate is almost twice as large in
> firefox). That's a significant part of the driver here. Websockets made a
> mistake by even specifying cleartext. I was there and I've learned that
> lesson.

Yep, sure, people deployed all kinds of firewalls to forbid protocols they
didn't trust. Here comes a web developer that says "you dummies, just push
your untrusted protocol on port 80 in the browser I know the security guys
let this pass".

And the result gets blocked. Big surprise.

And http/2 will get blocked too if it uses tls to workaround security
blocks (not that https is not *that* close to being blocked now that
people have used it right and left to bypass security restrictions; the
one good thing about MITM TLS is that it kills such protocol abuses).

I'm astounded anyone is even surprised firewall operators fight
"enhancements" consisting in blowing holes in firewalls. I'm astounded
anyone thinks being sneakier will endear it to those operators. Is the
workgroup charter to improve the http protocol (a safe protocol that is
widely allowed because of its simplicity, lack of side-effects, and
inspectbility) or is its sole aim to fight security equipments in all
possible ways by creating a blackhole monster? Because sometimes I really
wonder…

-- 
Nicolas Mailhot

Received on Thursday, 14 November 2013 19:45:20 UTC