Qt-contributors-summit-2013-Qt Network CS 2013

From Qt Wiki
Jump to: navigation, search

Qt Network Session – Qt Contributors Summit 2013

Talking Points

  • Option to add random padding to https requests. This makes us more resistant to the various https attacks that have been floating around. * X-Qt-Padding: some noise of varying length *Recommendation 3 from http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
  • Who is working on the stack?
  • What's up with the constant failing tests in the CI, and how can we fix the situation?
  • Support for diffie-hellman ciphers
  • Support for redirects
  • Pause on connect
  • Performance
  • Peter's chromium qnam port
  • Automatic fallback support
  • Certificate store API / Caching intermediates
  • OCSP support
  • Replacing the QNAM disk cache
  • HTTP 2.0 / SPDY support
  • Web sockets
  • Enginio and Qt network
  • Webkit2 and custom QNetworkAccessManagers

Off topic, but related:

  • PBKDF2 / BCrypt support (QtCore really)
  • Should we warn if running as root? If running suid?

Notes by Thiago:

  • DH key exchange
    • no public API
    • easy to implement, hard to test
  • OCSP
    • adds latency: needs to query the OCSP server
    • Richard implemented one year ago
    • still works, but hasn't worked on it in a while
    • enabled by default
    • QSslSocket level
  • Certificate store:
    • storing intermediate certs from broken servers that don't return the whole chain
    • browsers do that to work around issues in the wild
    • adds security
    • certificates are not trusted, so they don't add a new security attack vector
    • virtual QSslCertificate QAbstractSslCertificateStore::certificateForId(QSslCertificateId)
  • QNAM redirects
    • discussed in the DD Contributor Day
    • vector for insecurity (users do it wrong)
    • should be configurable
    • we don't need to fix this for the browser case → they already have the code
    • we need it only for the simple application cases
    • allow redirect from HTTP to HTTPS, allow within-protocol
    • could work with pausing
    • readyRead & metaDataChanged from the final, sslErrors per connection
  • Pause on connect:
    • Already discussed, implementation challenges and details known
    • Work is missing (Peter doesn't have time)
  • Performance: latency problems
    • Helped by the pre-connect
  • Replacing QNAM port:
    • With Blink:
      • difficult, it's too big for QtNetwork
      • no guarantee that we'll get a "library" interface
    • libcurl:
      • they're behind us
  • SPDY / HTTP/2.0:
    • HTTP/2.0 adopted SPDY 3.0's transport format
      • we can start supporting SPDY to get on our way to HTTP/2.0
    • libcurl has started