ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard

2011-07-12 10:08:53
from [Greg Wilkins] [Permanent Link] 
For the benefit of the wider ietf(_at_)ietf(_dot_)org audience, I'd like to
summaries an unresolved issue from the Hybi WG with the websocket
draft protocol.

Draft 10 if this document contains the "deflate-stream" extension in
section 9.2.1

This extension does not comply with any of the anticipated uses of
extensions listed in section 4.8, at best this makes it a poor
exemplar of an extension, as worst it makes it an unexpected total
change to the framing seen on the wire.

Because the extension changes the framing of bytes on the wire, this
will force all tools and intermediaries that wish to observe the frame
boundaries, to implement this extension, making it non optional.  For
example, intermediaries that do not implement this extension will be
unable to buffer/forward on frame boundaries.

Because default-stream is applied after the masking of client sent
frames, it is highly inefficient, with little or no compression being
achieved due to the random masking keys and the masking of any regular
patterns in the payload.

The intent of masking was to prevent bytes sent on the wire being
being controlled by an attacker.  However, a security concern has been
raised that the predictability of the deflate algorithm to convert
byte patterns into shorter bit sequences may allow a payload to be
crafted that would predictably produce bytes on the wire regardless of
the masking applied.

A reasonable alternative has been proposed that does not apply
deflation to the stream. Rather it applies it only to the application
data before masking, while keeping the compression dictionary between
frames.   This alternative proposal is a good exemplar extension (in
line with 4.8), provides efficient compression and does not suffer
from the security concern raised.

Since draft -7, there have been many voices in the WG calling for the
withdrawal of deflate-stream and nobody has spoken in favour of the
retention of deflate-stream on any grounds other than it is already
implemented/deployed.

I fail to understand why a non essential feature that was put into
draft-3 without  discussion or consensus, that has demonstrable
deficiencies, security concerns and vocal opponents has been left in
the draft all the way to final call?


regards

Greg Wilkins
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Gen-art] Gen-ART LC Review of draft-ietf-dnsext-rfc2672bis-dname-22, Ben Campbell
Next by Date:  Nomcom 2011-2012: Final List of Volunteers, NomCom Chair
Previous by Thread:  RE: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard: request for max frame size, Len Holgate
Next by Thread:  Repetitions and consensus, Brian E Carpenter
Indexes:  [Date] [Thread] [Top] [All Lists]