SlideShare a Scribd company logo
HTTP Status Report
             Mark Nottingham
   IETF HTTPbis WG Chair <mnot@mnot.net>
Principal Technical Yahoo! <mnot@yahoo-inc.com>
Hidden Agenda
• Inform what HTTP (the protocol) can do
• Inform what implementations can't (yet) do
• Encourage implementers to close the gap
Status of the Standards
HTTP circa 1996
• HTTP/0.9 fading quickly
• HTTP/1.0 taking off
• HTTP/1.1 to contain the damage
 •   virtual hosting
 •   persistent connections
 •   caching
• HTTP-NG discussions already underway
HTTP circa 1996
• Typical use
  •   Browser client, static or CGI content
  •   GET, POST
• WebDAV: Glimmer in Whitehead’s eye
• Services: huh?
2002: BCP56
•   “On the use of HTTP as a Substrate”
•   Reasonable advice for the IETF community,
    but failed to foresee “services” and “Web 2.0”
•   Codified distaste with non-browser uses
    •   A new port for every app
    •   Probably a new URI scheme too
•   Currently being considered for deprecation
HTTP in 2008
• HTTP/2.0 didn’t happen
• WS-* debacle unfortunately did
 •   PEP turned into SOAP
• “RESTful” APIs
 •   HTTP as Protocol Construction Toolkit
 •   Big surprise: Atompub
• Pressure to extend
• Explosion of implementations
 •   new servers, clients
 •   new frameworks, APIs
HTTPbis
• IETF Working Group to
  •   incorporate errata
  •   clarify ambiguities
  •   document extensibility
  •   improve interoperability
• I.e., writing the recipe down more clearly
• Specifications need to outlive their creators
• NOT to extend HTTP (but wait...)
HTTPbis: specs
•   Problem: RFC2616 is 176 pages of text/plain
•   Solution: split it up
    •   p1: messaging
    •   p2: semantics
    •   p3: payload
    •   p4: conditional requests
    •   p5: ranges
    •   p6: caching
    •   p7: authentication
HTTPbis: fixing...
•   Currently 139 issues, like
    • ABNF conversion
    • Whitespace between header name and colon
    • Registries for status codes, methods...
    • Vary corner cases
    • Clarify handling of bodies on GET requests
    • Header i18n and folding
    • ETags on PUT responses
    • Get rid of 305 Use Proxy
    • Clarifying the cache key
HTTPbis Status
• Currently on draft -05
• Major editorial rewrites starting
  •   p1 messaging
  •   p5 caching
• After that, most should be downhill
• “six months”
Status of the
Implementations
Implementations
•   Clients
    •   IE, Mozilla, Opera, Safari, wget, curl, serf, Perl, Python, Ruby, Java
    •   Abstractions: XmlHttpRequest, Prototype.js, Flash APIs
•   Servers
    •   Apache, IIS, Lighttpd, your router, phone and fridge
    •   Abstractions: filesystems, CGI, WSGI, Servlet
•   Intermediaries
    •   Squid, Network Appliance, ISA, HAProxy, tinyproxy, load
        balancers, firewalls
    •   Not many abstractions (yet)
    •   20%-30% of Web traffic goes through a proxy
•   Caches in clients and intermediaries
    • starting to show up in Python, Ruby...
HTTP Versions
• Most everything these days is HTTP/1.1,
  except...
  •   Squid (full 1.1 coming)
  •   wget
  •   a few libraries
  •   very old browsers, servers, libraries
• That’s OK
Core Methods
•   GET, POST - universally supported
•   PUT, DELETE
    • A few clients can’t generate (e.g., Safari2 XHR)
    • Intermediaries can be configured to block, but
      usually aren’t (except the paranoid and mobile)
•   Biggest limitation is W3C languages
    •   XSLT, HTML forms
•   Result: X-HTTP-Method header (Google) or
    query params (e.g., ?real-method=POST)
“Advanced” Methods
•   OPTIONS
    •   Hard to configure in servers
    •   Isn’t cacheable... oops.
    •   Result: only used for esoteric protocols (*dav)
•   Extension methods - FOO
    •   A number of clients don’t allow (e.g., XHR)
    •   Intermediaries often block (e.g., Squid, L4 balancers)
    •   Result: This probably isn’t so horrible
URIs
•   Mobile clients limit to as small as 256
•   Browsers
    •   IE: ~2k
    •   The rest: really really big
•   Intermediaries are OK up to about 4k; some go higher
•   Servers can be configured (or replaced)
•   Result: people putting queries in POSTs
    •   application-specific and frameworks
    •   frameworks doing this leads to gratuitous tunnelling
    •   HTTPbis recommendation likely to be around 8k
Headers
•   Some length limits (e.g. 20k total in Squid)
•   Almost no-one handles line continuations
    • Result: effectively profiled out
    • Disallowed by latest HTTPbis changes
•   Connection header control: not great
    • Result: extending protocol difficult
•   Trailers aren’t well-supported at all
    • Result: debug, status more difficult
Partial Content
• Content-Range / 206
• Biggest use: PDF
• Some caches don’t store partial content
  •   e.g., Squid
• Flash URL API can access ranges, but
  VideoPlayer, etc. don’t use it
• Result:
  $vidID = $_GET[quot;vidIDquot;];
  $vidPosition = $_GET[quot;vidPositionquot;];
Redirection
• Most* current browsers will redirect POST
  when they get a 307 Temporary Redirect
 •   ... but not PUT or DELETE
 •   ... and not a 301 or 302
 •   * except Safari - it doesn’t even do 307
• This is relatively new
• Result: login and lose your POST body
Caching
•   Basic conformance is there
    •   max-age, no-cache, no-store, Expires, IMS, INM
•   Invalidation isn’t implemented*
    • Result: don’t see your blog comments
•   Updating headers on 304 and HEAD is spotty
•   Warnings aren’t generated
•   Curl sends Pragma: no-cache by default
•   Result: Opportunity cost
Connection Handling
• Browsers limited to two concurrent
  connections to each server
 •   ouch!
 •   Result: BATCH, hosting on multiple names, etc.
• Being fixed in HTTPbis
Pipelining
•   Clients
    •   Only Opera does by default (lots of heuristics)
    •   The brave can turn it on in Mozilla
    •   A few libraries allow (e.g., Serf)
•   Most intermediaries will be OK with it, but won’t
    forward
•   Many servers handle it just fine; a few don’t
•   Risks: interleaved or out-of-order responses
•   Predominant use today: SVN (thanks to Serf)
•   Result: “waterfall” of requests; CSS spriting
The Cookie Cesspit
• There is no cookie specification.
  •   Netscape isn’t complete
  •   RFC2109 doesn’t reflect current practice
  •   Opera only major implementation of RFC2965
• •Parsing raw dates is painful
      Set-Cookie: a=1; Expires=Thu, 24 July 2008 00:00:00

  •   requires special case handling
• Result: libraries required.
Where
Next for
HTTP?
Tests, tests, tests
• Most knowledge today is ad hoc
  •   Some tools (e.g., co-advisor)
• Needed:
  •   open source test framework
  •   common test corpus
• messaging, semantics...
• For clients, intermediaries, servers and
  caches
Authentication
• Basic is interoperable, but not secure
• Digest is more secure, but not terribly
  interoperable
• Many newer requirements not addressed
 •   Phishing
 •   Delegated auth
• OAuth BoF last week in IETF Minneapolis
• Other efforts still coalescing
Better Transport
• head-of-line blocking STILL an issue
  •   Pipelining isn’t well-supported, and doesn’t
      completely solve the problem
• HTTP doesn’t guarantee integrity
  •   except with Content-MD5 (which no one does)
• HTTP-over-SCTP
  •   Great for lossy / long-distance networks
  •   proxy-to-proxy overlays
  •   uDel, Cisco
PATCH
• “Restful” APIs are starting to abuse PUT
  •   “update that with this...”
• PATCH allows you to apply a diff to a
  resource
• Currently an Internet-Draft
Prefer Header
• Lets a client state what it wants;
  •   Full content in response body
  •   Status message in response body
  •   No response body
• E.g., POST /order-handler
• Currently a (quiet) Internet-Draft
Link Header
• Under-developed part of the Web arch:
  typed links
• Advertise/discover links in HTTP headers
  •   “this invalidates <foo>”
  •   “the previous one is <bar>”
  •   “edit this over at <baz>”
• In RFC2068, taken out of RFC2616
• Bringing back as an internet-draft
Caching Refinements
• stale-while-revalidate
  •   hide server latency from clients
• stale-if-error
  •   hide server errors from clients
• Out-of-band change monitoring
• Using resource relationships to invalidate
• Explicit cache key
HTTP Software
• Higher-level (but still RESTful) abstractions
  •   e.g., webmachine
• Better feature set coverage
  •   e.g,. Rack::Cache
• Intermediary building blocks
  •   high performance/concurrency
  •   e.g., xLightweb
A Word on O2.0
• OpenID, OAuth, XmlHttpRequest, HTML5,
  Comet, “reliable” HTTP, BATCHing, Gears...
• General tendency to
 •   use least-common-denominator tech
 •   use familiar tools
 •   ignore intermediaries
 •   fail to consider overall architecture
• High opportunity cost
Take-Aways
•   Implementations are (obviously) usable, but
    •   They sometimes impose arbitrary limits
    •   They don’t expose some important controls
•   Developers will always take the easiest path
•   Not implementing because no-one uses it is a
    self-fulfilling prophesy
•   HTTPbis is an opportunity to
    •   get implementers together
    •   clarify ambiguities
    •   improve interop
    •   make HTTP a more stable basis for the next 10+ years
Resources
•   http://tools.ietf.org/wg/httpbis/
•   http://tinyurl.com/65e9lb [ implementation sheets ]
•   http://coad.measurement-factory.com/
•   http://www.mnot.net/blog/2007/06/20/proxy_caching
•   http://www.mnot.net/blog/2006/05/11/browser_caching

More Related Content

What's hot

Getting the most out of WebPageTest
Getting the most out of WebPageTestGetting the most out of WebPageTest
Getting the most out of WebPageTest
Patrick Meenan
 
SPDY @Zynga
SPDY @ZyngaSPDY @Zynga
SPDY @Zynga
Mike Belshe
 
HTTP/2 turns 3 years old // Web Performance Meetup wao.io 20180612
HTTP/2 turns 3 years old // Web Performance Meetup wao.io 20180612HTTP/2 turns 3 years old // Web Performance Meetup wao.io 20180612
HTTP/2 turns 3 years old // Web Performance Meetup wao.io 20180612
Avenga Germany GmbH
 
HAProxy
HAProxy HAProxy
HAProxy
Arindam Nayak
 
COMET in Plone
COMET in PloneCOMET in Plone
COMET in Plone
Christian Scholz
 
Load Balancing with HAproxy
Load Balancing with HAproxyLoad Balancing with HAproxy
Load Balancing with HAproxy
Brendan Jennings
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
Cory Forsyth
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and Performance
Fastly
 
HA Deployment Architecture with HAProxy and Keepalived
HA Deployment Architecture with HAProxy and KeepalivedHA Deployment Architecture with HAProxy and Keepalived
HA Deployment Architecture with HAProxy and Keepalived
Ganapathi Kandaswamy
 
Using HAProxy to Scale MySQL
Using HAProxy to Scale MySQLUsing HAProxy to Scale MySQL
Using HAProxy to Scale MySQL
Bill Sickles
 
Rails hosting
Rails hostingRails hosting
Rails hosting
wonko
 
Web Performance Automation - NY Web Performance Meetup
Web Performance Automation - NY Web Performance MeetupWeb Performance Automation - NY Web Performance Meetup
Web Performance Automation - NY Web Performance Meetup
Strangeloop
 
HTTP/2で 速くなるとき ならないとき
HTTP/2で 速くなるとき ならないときHTTP/2で 速くなるとき ならないとき
HTTP/2で 速くなるとき ならないとき
Kazuho Oku
 
O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2
O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2
O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2
Load Impact
 
Mobile web performance - MoDev East
Mobile web performance - MoDev EastMobile web performance - MoDev East
Mobile web performance - MoDev East
Patrick Meenan
 
SPDY Talk
SPDY TalkSPDY Talk
SPDY Talk
Bojan Babic
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish Cache
Carlos Abalde
 
Websocket
WebsocketWebsocket
Websocket
Masudul Haque
 
HTTP/2 Comes to Java
HTTP/2 Comes to JavaHTTP/2 Comes to Java
HTTP/2 Comes to Java
David Delabassee
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
Ericom Software
 

What's hot (20)

Getting the most out of WebPageTest
Getting the most out of WebPageTestGetting the most out of WebPageTest
Getting the most out of WebPageTest
 
SPDY @Zynga
SPDY @ZyngaSPDY @Zynga
SPDY @Zynga
 
HTTP/2 turns 3 years old // Web Performance Meetup wao.io 20180612
HTTP/2 turns 3 years old // Web Performance Meetup wao.io 20180612HTTP/2 turns 3 years old // Web Performance Meetup wao.io 20180612
HTTP/2 turns 3 years old // Web Performance Meetup wao.io 20180612
 
HAProxy
HAProxy HAProxy
HAProxy
 
COMET in Plone
COMET in PloneCOMET in Plone
COMET in Plone
 
Load Balancing with HAproxy
Load Balancing with HAproxyLoad Balancing with HAproxy
Load Balancing with HAproxy
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and Performance
 
HA Deployment Architecture with HAProxy and Keepalived
HA Deployment Architecture with HAProxy and KeepalivedHA Deployment Architecture with HAProxy and Keepalived
HA Deployment Architecture with HAProxy and Keepalived
 
Using HAProxy to Scale MySQL
Using HAProxy to Scale MySQLUsing HAProxy to Scale MySQL
Using HAProxy to Scale MySQL
 
Rails hosting
Rails hostingRails hosting
Rails hosting
 
Web Performance Automation - NY Web Performance Meetup
Web Performance Automation - NY Web Performance MeetupWeb Performance Automation - NY Web Performance Meetup
Web Performance Automation - NY Web Performance Meetup
 
HTTP/2で 速くなるとき ならないとき
HTTP/2で 速くなるとき ならないときHTTP/2で 速くなるとき ならないとき
HTTP/2で 速くなるとき ならないとき
 
O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2
O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2
O'Reilly Fluent Conference: HTTP/1.1 vs. HTTP/2
 
Mobile web performance - MoDev East
Mobile web performance - MoDev EastMobile web performance - MoDev East
Mobile web performance - MoDev East
 
SPDY Talk
SPDY TalkSPDY Talk
SPDY Talk
 
Content Access Control with Varnish Cache
Content Access Control with Varnish CacheContent Access Control with Varnish Cache
Content Access Control with Varnish Cache
 
Websocket
WebsocketWebsocket
Websocket
 
HTTP/2 Comes to Java
HTTP/2 Comes to JavaHTTP/2 Comes to Java
HTTP/2 Comes to Java
 
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
WebSockets Everywhere: the Future Transport Protocol for Everything (Almost)
 

Similar to Http Status Report

Rest Vs Soap Yawn2289
Rest Vs Soap Yawn2289Rest Vs Soap Yawn2289
Rest Vs Soap Yawn2289
Kalyan Vijay Kumar Pasumarthi
 
ReST Vs SOA(P) ... Yawn
ReST Vs SOA(P) ... YawnReST Vs SOA(P) ... Yawn
ReST Vs SOA(P) ... Yawn
ozten
 
Ajax Tutorial
Ajax TutorialAjax Tutorial
Ajax Tutorial
oscon2007
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
Mark Nottingham
 
Web Development: The Next Five Years
Web Development: The Next Five YearsWeb Development: The Next Five Years
Web Development: The Next Five Years
sneeu
 
Rubyhosting
RubyhostingRubyhosting
Rubyhosting
Artit Rubybox
 
Rubyhosting
RubyhostingRubyhosting
Rubyhosting
Artit Rubybox
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
Jim Jagielski
 
Reintroducing Web Technology
Reintroducing Web TechnologyReintroducing Web Technology
Reintroducing Web Technology
Isriya Paireepairit
 
Mojomojo Talk
Mojomojo TalkMojomojo Talk
Mojomojo Talk
Marcus Ramberg
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101
ConFoo
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
Ido Flatow
 
Capistrano
CapistranoCapistrano
Capistrano
Kenneth Kalmer
 
PPW2007 - Continuity Project
PPW2007 - Continuity ProjectPPW2007 - Continuity Project
PPW2007 - Continuity Project
awwaiid
 
WordPress Performance & Scalability
WordPress Performance & ScalabilityWordPress Performance & Scalability
WordPress Performance & Scalability
Joseph Scott
 
SPDY
SPDYSPDY
From One to a Cluster
From One to a ClusterFrom One to a Cluster
From One to a Cluster
guestd34230
 
Qcon
QconQcon
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009
sullis
 
Building Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using WebsocketsBuilding Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using Websockets
Naresh Chintalcheru
 

Similar to Http Status Report (20)

Rest Vs Soap Yawn2289
Rest Vs Soap Yawn2289Rest Vs Soap Yawn2289
Rest Vs Soap Yawn2289
 
ReST Vs SOA(P) ... Yawn
ReST Vs SOA(P) ... YawnReST Vs SOA(P) ... Yawn
ReST Vs SOA(P) ... Yawn
 
Ajax Tutorial
Ajax TutorialAjax Tutorial
Ajax Tutorial
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
 
Web Development: The Next Five Years
Web Development: The Next Five YearsWeb Development: The Next Five Years
Web Development: The Next Five Years
 
Rubyhosting
RubyhostingRubyhosting
Rubyhosting
 
Rubyhosting
RubyhostingRubyhosting
Rubyhosting
 
Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2Acus08 Advanced Load Balancing Apache2.2
Acus08 Advanced Load Balancing Apache2.2
 
Reintroducing Web Technology
Reintroducing Web TechnologyReintroducing Web Technology
Reintroducing Web Technology
 
Mojomojo Talk
Mojomojo TalkMojomojo Talk
Mojomojo Talk
 
Scalable Architecture 101
Scalable Architecture 101Scalable Architecture 101
Scalable Architecture 101
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
Capistrano
CapistranoCapistrano
Capistrano
 
PPW2007 - Continuity Project
PPW2007 - Continuity ProjectPPW2007 - Continuity Project
PPW2007 - Continuity Project
 
WordPress Performance & Scalability
WordPress Performance & ScalabilityWordPress Performance & Scalability
WordPress Performance & Scalability
 
SPDY
SPDYSPDY
SPDY
 
From One to a Cluster
From One to a ClusterFrom One to a Cluster
From One to a Cluster
 
Qcon
QconQcon
Qcon
 
Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009Web Services and Android - OSSPAC 2009
Web Services and Android - OSSPAC 2009
 
Building Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using WebsocketsBuilding Next Generation Real-Time Web Applications using Websockets
Building Next Generation Real-Time Web Applications using Websockets
 

More from ConSanFrancisco123

Open Ap Is State Of The Market
Open Ap Is State Of The MarketOpen Ap Is State Of The Market
Open Ap Is State Of The Market
ConSanFrancisco123
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The Cloud
ConSanFrancisco123
 
Ruby V Ms A Comparison
Ruby V Ms A ComparisonRuby V Ms A Comparison
Ruby V Ms A Comparison
ConSanFrancisco123
 
Yellowpagescom Behind The Curtain
Yellowpagescom Behind The CurtainYellowpagescom Behind The Curtain
Yellowpagescom Behind The Curtain
ConSanFrancisco123
 
Teamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any TimeTeamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any Time
ConSanFrancisco123
 
Agility Possibilities At A Personal Level
Agility Possibilities At A Personal LevelAgility Possibilities At A Personal Level
Agility Possibilities At A Personal Level
ConSanFrancisco123
 
Res Tful Enterprise Development
Res Tful Enterprise DevelopmentRes Tful Enterprise Development
Res Tful Enterprise Development
ConSanFrancisco123
 
Gallio Crafting A Toolchain
Gallio Crafting A ToolchainGallio Crafting A Toolchain
Gallio Crafting A Toolchain
ConSanFrancisco123
 
10 Ways To Improve Your Code
10 Ways To Improve Your Code10 Ways To Improve Your Code
10 Ways To Improve Your Code
ConSanFrancisco123
 
Behind The Scenes At My Spacecom
Behind The Scenes At My SpacecomBehind The Scenes At My Spacecom
Behind The Scenes At My Spacecom
ConSanFrancisco123
 
Building Blueprint With Gwt
Building Blueprint With GwtBuilding Blueprint With Gwt
Building Blueprint With Gwt
ConSanFrancisco123
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open Id
ConSanFrancisco123
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
ConSanFrancisco123
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
ConSanFrancisco123
 
Agile Software Development In The Large
Agile Software Development In The LargeAgile Software Development In The Large
Agile Software Development In The Large
ConSanFrancisco123
 
Introduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome ThemIntroduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome Them
ConSanFrancisco123
 
Business Natural Languages Development In Ruby
Business Natural Languages Development In RubyBusiness Natural Languages Development In Ruby
Business Natural Languages Development In Ruby
ConSanFrancisco123
 
Orbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And ChangeOrbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And Change
ConSanFrancisco123
 
Introduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered AboutIntroduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered About
ConSanFrancisco123
 

More from ConSanFrancisco123 (20)

Open Ap Is State Of The Market
Open Ap Is State Of The MarketOpen Ap Is State Of The Market
Open Ap Is State Of The Market
 
Yahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The CloudYahoo Pipes Middleware In The Cloud
Yahoo Pipes Middleware In The Cloud
 
Ruby V Ms A Comparison
Ruby V Ms A ComparisonRuby V Ms A Comparison
Ruby V Ms A Comparison
 
Yellowpagescom Behind The Curtain
Yellowpagescom Behind The CurtainYellowpagescom Behind The Curtain
Yellowpagescom Behind The Curtain
 
Teamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any TimeTeamwork Is An Individual Skill How To Build Any Team Any Time
Teamwork Is An Individual Skill How To Build Any Team Any Time
 
Agility Possibilities At A Personal Level
Agility Possibilities At A Personal LevelAgility Possibilities At A Personal Level
Agility Possibilities At A Personal Level
 
Res Tful Enterprise Development
Res Tful Enterprise DevelopmentRes Tful Enterprise Development
Res Tful Enterprise Development
 
Gallio Crafting A Toolchain
Gallio Crafting A ToolchainGallio Crafting A Toolchain
Gallio Crafting A Toolchain
 
10 Ways To Improve Your Code
10 Ways To Improve Your Code10 Ways To Improve Your Code
10 Ways To Improve Your Code
 
Behind The Scenes At My Spacecom
Behind The Scenes At My SpacecomBehind The Scenes At My Spacecom
Behind The Scenes At My Spacecom
 
Building Blueprint With Gwt
Building Blueprint With GwtBuilding Blueprint With Gwt
Building Blueprint With Gwt
 
Security Cas And Open Id
Security Cas And Open IdSecurity Cas And Open Id
Security Cas And Open Id
 
Soa And Web Services Security
Soa And Web Services SecuritySoa And Web Services Security
Soa And Web Services Security
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
 
Secure Programming With Static Analysis
Secure Programming With Static AnalysisSecure Programming With Static Analysis
Secure Programming With Static Analysis
 
Agile Software Development In The Large
Agile Software Development In The LargeAgile Software Development In The Large
Agile Software Development In The Large
 
Introduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome ThemIntroduction Challenges In Agile And How To Overcome Them
Introduction Challenges In Agile And How To Overcome Them
 
Business Natural Languages Development In Ruby
Business Natural Languages Development In RubyBusiness Natural Languages Development In Ruby
Business Natural Languages Development In Ruby
 
Orbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And ChangeOrbitz World Wide An Architectures Response To Growth And Change
Orbitz World Wide An Architectures Response To Growth And Change
 
Introduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered AboutIntroduction Architectures Youve Always Wondered About
Introduction Architectures Youve Always Wondered About
 

Recently uploaded

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 

Recently uploaded (20)

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 

Http Status Report

  • 1. HTTP Status Report Mark Nottingham IETF HTTPbis WG Chair <mnot@mnot.net> Principal Technical Yahoo! <mnot@yahoo-inc.com>
  • 2. Hidden Agenda • Inform what HTTP (the protocol) can do • Inform what implementations can't (yet) do • Encourage implementers to close the gap
  • 3. Status of the Standards
  • 4. HTTP circa 1996 • HTTP/0.9 fading quickly • HTTP/1.0 taking off • HTTP/1.1 to contain the damage • virtual hosting • persistent connections • caching • HTTP-NG discussions already underway
  • 5. HTTP circa 1996 • Typical use • Browser client, static or CGI content • GET, POST • WebDAV: Glimmer in Whitehead’s eye • Services: huh?
  • 6. 2002: BCP56 • “On the use of HTTP as a Substrate” • Reasonable advice for the IETF community, but failed to foresee “services” and “Web 2.0” • Codified distaste with non-browser uses • A new port for every app • Probably a new URI scheme too • Currently being considered for deprecation
  • 7. HTTP in 2008 • HTTP/2.0 didn’t happen • WS-* debacle unfortunately did • PEP turned into SOAP • “RESTful” APIs • HTTP as Protocol Construction Toolkit • Big surprise: Atompub • Pressure to extend • Explosion of implementations • new servers, clients • new frameworks, APIs
  • 8. HTTPbis • IETF Working Group to • incorporate errata • clarify ambiguities • document extensibility • improve interoperability • I.e., writing the recipe down more clearly • Specifications need to outlive their creators • NOT to extend HTTP (but wait...)
  • 9. HTTPbis: specs • Problem: RFC2616 is 176 pages of text/plain • Solution: split it up • p1: messaging • p2: semantics • p3: payload • p4: conditional requests • p5: ranges • p6: caching • p7: authentication
  • 10. HTTPbis: fixing... • Currently 139 issues, like • ABNF conversion • Whitespace between header name and colon • Registries for status codes, methods... • Vary corner cases • Clarify handling of bodies on GET requests • Header i18n and folding • ETags on PUT responses • Get rid of 305 Use Proxy • Clarifying the cache key
  • 11. HTTPbis Status • Currently on draft -05 • Major editorial rewrites starting • p1 messaging • p5 caching • After that, most should be downhill • “six months”
  • 13. Implementations • Clients • IE, Mozilla, Opera, Safari, wget, curl, serf, Perl, Python, Ruby, Java • Abstractions: XmlHttpRequest, Prototype.js, Flash APIs • Servers • Apache, IIS, Lighttpd, your router, phone and fridge • Abstractions: filesystems, CGI, WSGI, Servlet • Intermediaries • Squid, Network Appliance, ISA, HAProxy, tinyproxy, load balancers, firewalls • Not many abstractions (yet) • 20%-30% of Web traffic goes through a proxy • Caches in clients and intermediaries • starting to show up in Python, Ruby...
  • 14. HTTP Versions • Most everything these days is HTTP/1.1, except... • Squid (full 1.1 coming) • wget • a few libraries • very old browsers, servers, libraries • That’s OK
  • 15. Core Methods • GET, POST - universally supported • PUT, DELETE • A few clients can’t generate (e.g., Safari2 XHR) • Intermediaries can be configured to block, but usually aren’t (except the paranoid and mobile) • Biggest limitation is W3C languages • XSLT, HTML forms • Result: X-HTTP-Method header (Google) or query params (e.g., ?real-method=POST)
  • 16. “Advanced” Methods • OPTIONS • Hard to configure in servers • Isn’t cacheable... oops. • Result: only used for esoteric protocols (*dav) • Extension methods - FOO • A number of clients don’t allow (e.g., XHR) • Intermediaries often block (e.g., Squid, L4 balancers) • Result: This probably isn’t so horrible
  • 17. URIs • Mobile clients limit to as small as 256 • Browsers • IE: ~2k • The rest: really really big • Intermediaries are OK up to about 4k; some go higher • Servers can be configured (or replaced) • Result: people putting queries in POSTs • application-specific and frameworks • frameworks doing this leads to gratuitous tunnelling • HTTPbis recommendation likely to be around 8k
  • 18. Headers • Some length limits (e.g. 20k total in Squid) • Almost no-one handles line continuations • Result: effectively profiled out • Disallowed by latest HTTPbis changes • Connection header control: not great • Result: extending protocol difficult • Trailers aren’t well-supported at all • Result: debug, status more difficult
  • 19. Partial Content • Content-Range / 206 • Biggest use: PDF • Some caches don’t store partial content • e.g., Squid • Flash URL API can access ranges, but VideoPlayer, etc. don’t use it • Result: $vidID = $_GET[quot;vidIDquot;]; $vidPosition = $_GET[quot;vidPositionquot;];
  • 20. Redirection • Most* current browsers will redirect POST when they get a 307 Temporary Redirect • ... but not PUT or DELETE • ... and not a 301 or 302 • * except Safari - it doesn’t even do 307 • This is relatively new • Result: login and lose your POST body
  • 21. Caching • Basic conformance is there • max-age, no-cache, no-store, Expires, IMS, INM • Invalidation isn’t implemented* • Result: don’t see your blog comments • Updating headers on 304 and HEAD is spotty • Warnings aren’t generated • Curl sends Pragma: no-cache by default • Result: Opportunity cost
  • 22. Connection Handling • Browsers limited to two concurrent connections to each server • ouch! • Result: BATCH, hosting on multiple names, etc. • Being fixed in HTTPbis
  • 23. Pipelining • Clients • Only Opera does by default (lots of heuristics) • The brave can turn it on in Mozilla • A few libraries allow (e.g., Serf) • Most intermediaries will be OK with it, but won’t forward • Many servers handle it just fine; a few don’t • Risks: interleaved or out-of-order responses • Predominant use today: SVN (thanks to Serf) • Result: “waterfall” of requests; CSS spriting
  • 24. The Cookie Cesspit • There is no cookie specification. • Netscape isn’t complete • RFC2109 doesn’t reflect current practice • Opera only major implementation of RFC2965 • •Parsing raw dates is painful Set-Cookie: a=1; Expires=Thu, 24 July 2008 00:00:00 • requires special case handling • Result: libraries required.
  • 26. Tests, tests, tests • Most knowledge today is ad hoc • Some tools (e.g., co-advisor) • Needed: • open source test framework • common test corpus • messaging, semantics... • For clients, intermediaries, servers and caches
  • 27. Authentication • Basic is interoperable, but not secure • Digest is more secure, but not terribly interoperable • Many newer requirements not addressed • Phishing • Delegated auth • OAuth BoF last week in IETF Minneapolis • Other efforts still coalescing
  • 28. Better Transport • head-of-line blocking STILL an issue • Pipelining isn’t well-supported, and doesn’t completely solve the problem • HTTP doesn’t guarantee integrity • except with Content-MD5 (which no one does) • HTTP-over-SCTP • Great for lossy / long-distance networks • proxy-to-proxy overlays • uDel, Cisco
  • 29. PATCH • “Restful” APIs are starting to abuse PUT • “update that with this...” • PATCH allows you to apply a diff to a resource • Currently an Internet-Draft
  • 30. Prefer Header • Lets a client state what it wants; • Full content in response body • Status message in response body • No response body • E.g., POST /order-handler • Currently a (quiet) Internet-Draft
  • 31. Link Header • Under-developed part of the Web arch: typed links • Advertise/discover links in HTTP headers • “this invalidates <foo>” • “the previous one is <bar>” • “edit this over at <baz>” • In RFC2068, taken out of RFC2616 • Bringing back as an internet-draft
  • 32. Caching Refinements • stale-while-revalidate • hide server latency from clients • stale-if-error • hide server errors from clients • Out-of-band change monitoring • Using resource relationships to invalidate • Explicit cache key
  • 33. HTTP Software • Higher-level (but still RESTful) abstractions • e.g., webmachine • Better feature set coverage • e.g,. Rack::Cache • Intermediary building blocks • high performance/concurrency • e.g., xLightweb
  • 34. A Word on O2.0 • OpenID, OAuth, XmlHttpRequest, HTML5, Comet, “reliable” HTTP, BATCHing, Gears... • General tendency to • use least-common-denominator tech • use familiar tools • ignore intermediaries • fail to consider overall architecture • High opportunity cost
  • 35. Take-Aways • Implementations are (obviously) usable, but • They sometimes impose arbitrary limits • They don’t expose some important controls • Developers will always take the easiest path • Not implementing because no-one uses it is a self-fulfilling prophesy • HTTPbis is an opportunity to • get implementers together • clarify ambiguities • improve interop • make HTTP a more stable basis for the next 10+ years
  • 36. Resources • http://tools.ietf.org/wg/httpbis/ • http://tinyurl.com/65e9lb [ implementation sheets ] • http://coad.measurement-factory.com/ • http://www.mnot.net/blog/2007/06/20/proxy_caching • http://www.mnot.net/blog/2006/05/11/browser_caching