Re: Banana Republic (was Re: OpenVMS Book Wins award)

Richard Maher wrote:
Hi Mark,

(I purchased it when AU$ was almost at US$ parity :-)

Aaah, it seems like only weeks ago :-(

I bought it through Barnes and Noble in late May '08 for US$36.00 plus
US$13.00 P&P, and I think my credit card statement said something like
AU$52.00 so it was right at the 'peak'. Why the AU$ currently should be
at US$0.65 now escapes me - perhaps that's one reason I'm still working
for wages.

It was a good 'background' read but not directly applicable to my
daytime duty statement these days. I had not (as I indicated to Roland
I might) gotten around to a public review (that would have required a
second read). Willem Grooters provided one I'd generally endorse.

At around the same time I purchased Heller's, "Catch 22" (shipped to one
of my daughters), Earl's, "Digital Equipment Corporation (MA) (Images
of America)", and Schein's, "DEC Is Dead, Long Live DEC"; all good
reads and all for different reasons. With the exchange rate more like
2:3 I might have to think think more carefully. (The Earl soft-cover is
a particularly easy but also interesting 'read' I'd recommend to all
interested in DEC :-)

Cheers Richard Maher

PS. Just in case you don't subscribe to the WHATWG mailing list, do you have
any interest in, or opinions on the following: -

No I don't and indirectly I guess I do.

That any network connectivity has some sandboxing doesn't exactly
surprise me. A network conduit (like SSH or HTTP CONNECT) is carte
blanche for whatever the agent wishes to transfer. No constraint would
be considered negligence.

I'm guessing you mention this because the suggestion below that

"that the time could be better spent providing guidelines for
communication via an asynchronous CGI [originally I read GUI :-]
interface."

sounds remarkably like Tier3 :-)

I agree; why would anyone spend time abstracting interfaces if a
monolithic solution is all that is currently required? Of course this
is an entirely fresh (if not novel) discussion point ...

----- Original Message ----- From: "Shannon"
To: "WHAT working group" >
Sent: Tuesday, October 14, 2008 7:22 AM
Subject: [whatwg] WebSocket and proxies


In the process of testing my WebSocket proposal I discovered the CONNECT
method has a major restriction. Most proxies disable CONNECT to anything
but port 443.

The following is from "Squid and the Blowfish":
------------------
It is very important that you stop CONNECT type requests to non-SSL
ports. The CONNECT method allows data transfer in any direction at any
time, regardless of the transport protocol used. As a consequence, a
malicious user could telnet(1) to a (very) badly configured proxy, enter
something like:
... snip example ...
and end up connected to the remote server, as if the connection was
originated by the proxy.
-------------------

I verified that Squid and all public proxies I tried disable CONNECT by
default to non-SSL ports. It's unlikely many internet hosts will have
443 available for WebSockets if they also run a webserver. It could be
done with virtual IPs or dedicated hosts but this imposes complex
requirements and costs over alternatives like CGI.

The availability and capabilities of the OPTIONS and GET protocols also
varied from proxy to proxy. The IETF draft related to TLS
(http://tools.ietf.org/html/draft-ietf-tls-http-upgrade-05) has this to
say:
-------------------
3.2 Mandatory Upgrade

If an unsecured response would be unacceptable, a client MUST send
an OPTIONS request first to complete the switch to TLS/1.0 (if
possible).

OPTIONS * HTTP/1.1
Host: example.bank.com
Upgrade: TLS/1.0
Connection: Upgrade
-------------------

So according to this draft spec OPTIONS is the only way to do a
*mandatory* upgrade of our connection. Once again this failed in testing

-------------------
=> OPTIONS * HTTP/1.1
=> Proxy-Connection: keep-alive
=> Connection: Upgrade
=> Upgrade: WebSocket/1.0
=> Host: warriorhut.org:8000
=>
<= HTTP/1.0 400 Bad Request
<= Server: squid/3.0.STABLE8
--------------------

Other proxies gave different errors or simply returned nothing. The
problem may be related to the Upgrade and Connection headers rather than
OPTIONS, since I had similar issues using Connection: Upgrade with GET.

I had the most success using GET without a Connection: Upgrade header.
It seems that the proxy thinks the header is directed at it so it does
not pass it on to the remote host. In many cases it will abort the
connection. Using the Upgrade: header without Connection allows the
Upgrade header through to the actual websocket service.

It seems to me that whatever we try in many cases the connection will be
silently dropped by the proxy and the reasons will be unclear due to the
lack of error handling. There seems to be a wide variation in proxy
behaviour for uncommon operations. I suppose proxy developers could fix
these issues but whether a significant rollout could be achieved before
HTML5 is released is questionable.

Given that an asynchronous connection cannot be cached the only reasons
remaining for going through a proxy are anonymity and firewall
traversal. Automatically bypassing the users proxy configuration to
solve the issues above has the potential to break both of these. It
would be a significant breach of trust for a UA to bypass the users
proxy and some networks only allow connections via a proxy (for security
and monitoring).

It seems that we're stuck between a rock and hard place here. In light
of this I reiterate my earlier suggestion that the time could be better
spent providing guidelines for communication via an asynchronous CGI
interface. This would allow reuse of existing port 80 and 443 web
services which would resolve the cross-domain issues (the CGI can relay
the actual service via a backend connection) and most of the proxy
issues above (since proxy GET and CONNECT are more reliable on these
ports).
Shannon


"Mark Daniel" <mark.daniel@xxxxxxxxxx> wrote in message
news:01110d0c$0$20616$c3e8da3@xxxxxxxxxxxxxxxxxxxx
yyyc186 wrote:
The Minimum You Need to Know About Service Orieted Architecture by
Roland Hughes

Award-Winner in the Business: Technology/Computers/Internet category
of the National Best Books 2008 Awards, sponsored by USA Book News
Congratulations Roland!

(I purchased it when AU$ was almost at US$ parity :-)

You can find this book in Island Computer's Web store.
.

Relevant Pages

  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... The graphed 'events' are individually and asynchronously provided from the server to the client over a persistent connection and each respective graphical element is equally asynchronously updated. ... However it can emulate asynchronous, raw network streams via a Web Socket server / raw IP network proxy. ... If you mean Web Sockets can't through existing HTTP proxy then the ...
    (comp.os.vms)
  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... other requests while it's streaming its long-poll (or words to that effect ... If you mean Web Sockets can't through existing HTTP proxy then the ... Orbited is a service used to accept Web-style socket connection ...
    (comp.os.vms)
  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... CONNECT handshake to give me a Tunnel for my Socket over a httpS connection ... originated by the proxy. ... Mandatory Upgrade ... I had the most success using GET without a Connection: Upgrade header. ...
    (comp.os.vms)
  • Re: Banana Republic (was Re: OpenVMS Book Wins award)
    ... Isn't asocket proxy that doesn't explicitly talk HTTP during setup a one-to-one NAT router? ... And if accepting external connection requests, a static port mapping NAT router, into/through the DMZ and onto internal services? ... Of course it's a bit more than that Until Web Sockets become commonplace it uses a number of approaches to *emulate* asynchronous comms with current browsers. ... Mandatory Upgrade ...
    (comp.os.vms)
  • Banana Republic (was Re: OpenVMS Book Wins award)
    ... originated by the proxy. ... Mandatory Upgrade ... Connection: Upgrade ... I had the most success using GET without a Connection: Upgrade header. ...
    (comp.os.vms)