Sunday, December 11, 2011

RFC 6454 and RFC 6455

Today, the IETF published two document: RFC 6454, The Web Origin Concept, and RFC 6455, The WebSocket Protocol.  Both these documents started out as sections in the HTML5 specification, which has been a hotbed of standards activity over the past few years, but they took somewhat different paths through the standards process.

RFC 6454's path through the IETF process was mostly smooth sailing.  The document defines the same-origin policy, which is widely implemented and fairly cut-and-dried.  In addition to the comparison and serialization algorithms we inherited from the WHATWG, the websec working group added a definition of the Origin HTTP header, which is used by CORS, and a broad description of the principles behind the same-origin policy.

RFC 6455's path was less smooth.  The protocol underwent several major revisions in the WHATWG, before reaching the IETF.  The protocol was fairly mature by the time it reached the hybi working group and was implemented in WebKit and Firefox.  Unfortunately, some details of the protocol offended HTTP purists, who wanted the protocol handshake to comply with HTTP.  The working group polished up these details, leading to churn in the protocol.

Around this time, some colleagues and I were studying the interaction between DNS rebinding and transparent proxies.  It occurred to us that folks had analyzed the end-to-end security properties of WebSockets but less effort had been expended analyzing the interaction between WebSockets and transparent proxies.  We studied these issues and found an interesting vulnerability.  We presented our findings to the working group, which updated the protocol to fix issue.

One perspective on these events is that they are a success.  We found and fixed a protocol-level vulnerability before the protocol was deployed widely.  Another perspective is that we annoyed early adopters polishing unimportant protocol details.  My view is that this debate boils down to whether you really believe that worse is better.  For my part, I believe we had a net positive impact, but I hope we can be less disruptive to early adopters when we improve security in the future.

88 comments:

  1. Congrats, Adam!

    I agree that worse is better, but the straw-man argument against wider review of WebSockets isn't fair. Anyone adopting it that early in the game should know that it has potential for change; if they didn't, the implementers and advocates misled them.

    After all, the last big technology the browser vendors pushed through the IETF without significant review was Cookies -- and look how well that turned out. Yes it worked, and yes it got traction, but boy was it a mess.

    Anyway, we'll probably disagree on that, and I'm not going to defend all aspects of the process -- e.g., about: is taking way too long.

    What's next?

    ReplyDelete
  2. Typo note: In paragraph 3, "The was fairly mature by the time..." seems to be missing a word near teh beginning of the sentence.

    ReplyDelete
  3. Typo fixed.

    @mnot: Good question. I'm hopeful that SPDY is next. It looks like the stars are aligning for the IETF to take up its standardization. Hopefully we can use the experience we've gained with WebSockets to make that process a success.

    ReplyDelete
  4. It only annoyed the "early adopters" because the "purists" were concerned about details that were "unimportant" from your point of view and not theirs.

    "Worse is better" may be a better business plan, but it's inconsistent with putting something on standards track looking for rough consensus.

    Perhaps RFC 6454 was only "smooth sailing" because there's not enough context to evaluate its holes (like "What is the origin of 'about:blank'?") It would be better if it just defined Origin for HTTP URIs; otherwise all of the interesting action is in the specifications that reference this one.

    @mnot: Cookies were not "pushed through the IETF"; it would have been better if it had. But the early adopters who had widely implemented and deployed cookies didn't like the feedback they got from the security "purists" at the time, leaving the mess for the next generation of standardista's to fix.

    ReplyDelete
  5. @Larry:

    Yeah, I definitely understand the "better is better" perspective. I don't view the protocol changes made by the working group as unimportant, but I do recognize that there was a cost to making those changes. Most notably, WebSockets came to market a year later that it might have otherwise.

    With respect to RFC 6454, you're right that it's mostly a building block for other standards to build upon. To answer your specific question, the origin of about:blank is a globally unique identifier. When used in an HTML document, the HTML specification changes the origin of about:blank documents depending on context. When used in other places, however, that HTML-specific quirk need not apply.

    ReplyDelete
  6. It is all about Abu Dhabi Web Design the layouts to match all forms of digital media. The actual concept is that the design should support all the devices from desktops, laptops, smart phones, tablets to anything released in the future.

    ReplyDelete
  7. a good essay editor may transform your own essay coming from as an ordinary best essay writing company uk in a good refined AND ALSO concise essay. you utilize perhaps spent a considerable quantity of time in excess of ones academic assignment. your current subsequently step will be in order to polish This to help perfection. This can be possible regarding you, as a writer, to help overlook your current errors that you should have committed.

    ReplyDelete
  8. Regular vacation goers call for reductions along with other inexpensive business arrivals. The reason being they will vacation on the day-to-day time frame. Several oxygen arrivals organizations consider these kinds of vacation goers although usually do not.discount travel

    ReplyDelete
  9. world-wide-web design purchases with the area regarding designing a great internet site AS WELL AS on the prolonged run updating IN ADDITION TO maintaining. with the internet boom, every institution wants to have a online footprint IN ADDITION TO the site is Tips on how to showcase one's skills AS WELL AS business IN ADDITION TO kindle your curiosity regarding potential customers.CMS for web designers

    ReplyDelete
  10. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here keep up the good work

    ReplyDelete
  11. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share.
    werkblad

    ReplyDelete
  12. What I wouldn’t give to learn how you got your design to be so amazing ! I mean it. Besides the blog just being awesome, this page is too sweet !
    Pre Marriage Courses

    ReplyDelete
  13. Been reading this site for awhile now, always has really good posts and topics please keep it up! loads of blogs are going under lately from lack of new posts etc
    inbouwmengkraan

    ReplyDelete
  14. Attractive info. Thanks, I am really impressed with the quality of what you have provided in your article.
    kraan accessoires

    ReplyDelete
  15. This is a great website. I will make sure that I stop back again!.
    inbouwmengkraan

    ReplyDelete
  16. I have landed on a useful site and found it pretty informative. The video was really interesting.I would recommend the same to my friends too. I have book marked your page for further updates. Keep up your good work. Regards
    KLEBE BH

    ReplyDelete
  17. I'm really excited about it because of this post. It 's really amazing and eye-catching.
    verhuisbedrijf hilversum

    ReplyDelete
  18. This is additionally a decent post which I truly appreciated perusing. It is not consistently that I have the likelihood to see something like this.

    Visit : Online High School Diploma

    ReplyDelete
  19. This is some awesome stuff i like it. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles on the same matter
    composieten keukenwerkbladen

    ReplyDelete
  20. Things are very open and intensely clear explanation of issues. was truly information. Your website is very beneficial.
    http://jualjam-tangan.com

    ReplyDelete
  21. I like the post and i a‭m surprised. the way of ex-planing is very good manner.
    http://www.tokojamtanganfashion.com

    ReplyDelete
  22. Things are very open and intensely clear explanation of issues. was truly information. Your website is very beneficial.
    http://www.glenncolton.com
    http://www.prettysocial.net

    ReplyDelete
  23. excellent article, I do not get bored reading it. thank you for sharing.
    tas branded murah
    l Financialnewss.com

    ReplyDelete
  24. I am very grateful for the information that has been presented. Success always.
    Tas Wanita Murah
    Tas Branded Online
    www.hargataswanita.com

    ReplyDelete
  25. Things are very open and intensely clear explanation of issues. was truly information. Your website is very beneficial.
    http://www.jamtangan-murah.net

    ReplyDelete
  26. I like what you people are up to. Such brilliant perform and reporting! Keep up the fantastic performs people. I have integrated you people to my blogroll. I think it will enhance the value of my website. keukenblad composiet

    ReplyDelete

  27. for anyone who wants to know more about the watches right click on the following web
    Jam Tangan Online Murah

    ReplyDelete
  28. I do not know how to thank you but already the subject deserves thanks and respect
    Thank you Will allow me to put some links to my website
    http://jualjamtanganonline.net

    ReplyDelete
  29. Excellent and decent post. I found this much informative, as to what I was exactly searching for. Thanks for such post and please keep it up.
    badgarnituur

    ReplyDelete
  30. This was a really great contest and hopefully I can attend the next one. It was alot of fun and I really enjoyed myself.
    GED Online Diploma

    ReplyDelete
  31. Thanks for sharing such a great article and it's helpful for everyone. Great Post! Send Flowers To Mumbai

    ReplyDelete
  32. This comment has been removed by the author.

    ReplyDelete
  33. Thanks for more information best company for Top3th.co.in Packers and Movers India provide moving services.
    Packers and Movers Gurgaon
    Packers and Movers Navi Mumbai
    Packers and Movers Thane
    Packers and Movers in Gurgaon

    ReplyDelete
  34. Thanks for sharing a great article, i like this valuable packers and movers blog content. packers and movers in marathahalli .

    ReplyDelete
  35. Very much impressive site that will catch the attention of everyone and very genuine idea...Thank you for posting this valuable site. movers and packers jaipur .

    ReplyDelete
  36. That's a nice information you have shared. Thanks for sharing this. I appreciate it very much. Mumbai Online Florist

    ReplyDelete
  37. This comment has been removed by the author.

    ReplyDelete
  38. this information is very useful post for me thanks for sharing with us. It is really a great post. Send Flowers To Delhi

    ReplyDelete
  39. That was really enjoyable blog for me thanks for sharing.
    greengeeks discount coupons

    ReplyDelete
  40. Great post there.All the tips are useful and i will surely implement these on my blog
    business franchise opportunities

    ReplyDelete
  41. I was   about to   say   something   on   this   topic.   But   now   i   can   see   that   everything   on   this   topic   is   very   amazing   and   mind   blowing, so   i have nothing to say here. I am just going through all the topics and being appreciated. Thanks for sharing. @ FreeSoft

    ReplyDelete