Re: Hello from Mozilla from Alex Rousskov on 2009-07-14 (squid-dev)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Tue, 14 Jul 2009 18:24:13 -0600

On 07/14/2009 06:01 PM, Ian Hickson wrote:
> On Tue, 14 Jul 2009, Alex Rousskov wrote:
>> HTTP "hard-coding" seems to be a small, albeit critical, part of
>> WebSocket so changing it to avoid conflicts with HTTP may be possible
>> without significant negative effects on the rest of the draft.
>
> The handshake is a pretty critical part of the security model of the
> WebSocket protocol. I don't really see how we can continue to have the
> safe handshake while allowing either the client or the server to send any
> arbitrary string.

Perhaps the WebSocket secure handshake should start _after_ the
successful upgrade? Is not that how HTTP Upgrade was intended to be used?

> WebSocket isn't an HTTP-upgraded protocol; it's just that its handshake
> happens to be such that it can trick HTTP servers into thinking that it
> is. In other words, HTTP Upgrade is not the initial handshake mechanism,
> it just looks like it is if you don't examine it closely.

I think I understand the intent behind the trick, but if a message looks
like an HTTP message to the HTTP server or intermediary, the HTTP server
or intermediary may start doing HTTP-valid things to it, and those
things will not be valid from WebSocket point of view. Henrik provided a
few examples of that already.

I want to avoid the following Squid bug report 5 years from now:

Title: Squid breaks FooBar

Comment1: FooBar, a WebSocket application, works fine unless there is a
"transparent" Squid proxy in the way. I have attached a packet trace.

Comment2: Closed as invalid. Squid seems to be handling the HTTP
messages correctly. Squid is not responsible to what happens after
Upgrade, inside the tunnel.

Comment3: Reopened as critical. I need to make this work. Please do
something! I have read somewhere that if Squid would not add a Via or
XFF header and also that extra space character after a column,
everything would just work!

Comment4: Changed to enhancement: Rewrite Squid to support
WebSocket-compatible Upgrade exchange. Meanwhile, consider writing a
post-Squid eCAP module that will rewrite Squid-altered HTTP messages to
conform to WebSocket.

Cheers,

Alex.
Received on Wed Jul 15 2009 - 00:24:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 15 2009 - 12:00:05 MDT