Qt-contributors-summit-2013-Qt Network CS 2013: Difference between revisions

From Qt Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
=Qt Network Session – Qt Contributors Summit 2013=


==Talking Points==
* Option to add random padding to https requests. This makes us more resistant to the various https attacks that have been floating around. * X-Qt-Padding: some noise of varying length *Recommendation 3 from http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
* Who is working on the stack?
* What’s up with the constant failing tests in the CI, and how can we fix the situation?
* Support for diffie-hellman ciphers
* Support for redirects
* Pause on connect
* Performance
* Peter’s chromium qnam port
* Automatic fallback support
* Certificate store <span class="caps">API</span> / Caching intermediates
* <span class="caps">OCSP</span> support
* Replacing the <span class="caps">QNAM</span> disk cache
* <span class="caps">HTTP</span> 2.0 / <span class="caps">SPDY</span> support
* Web sockets
* Enginio and Qt network
* Webkit2 and custom QNetworkAccessManagers
Off topic, but related:
* PBKDF2 / BCrypt support (QtCore really)
* Should we warn if running as root? If running suid?
Notes by Thiago:
* DH key exchange
** no public <span class="caps">API</span>
** easy to implement, hard to test
* <span class="caps">OCSP</span>
** adds latency: needs to query the <span class="caps">OCSP</span> server
** Richard implemented one year ago
** still works, but hasn’t worked on it in a while
** enabled by default
** QSslSocket level
* Certificate store:
** storing intermediate certs from broken servers that don’t return the whole chain
** browsers do that to work around issues in the wild
** adds security
** certificates are not trusted, so they don’t add a new security attack vector
** virtual QSslCertificate QAbstractSslCertificateStore::certificateForId(QSslCertificateId)
* <span class="caps">QNAM</span> redirects
** discussed in the DD Contributor Day
** vector for insecurity (users do it wrong)
** should be configurable
** we don’t need to fix this for the browser case → they already have the code
** we need it only for the simple application cases
** allow redirect from <span class="caps">HTTP</span> to <span class="caps">HTTPS</span>, allow within-protocol
** could work with pausing
** readyRead &amp; metaDataChanged from the final, sslErrors per connection
* Pause on connect:
** Already discussed, implementation challenges and details known
** Work is missing (Peter doesn’t have time)
* Performance: latency problems
** Helped by the pre-connect
* Replacing <span class="caps">QNAM</span> port:
** With Blink:
*** difficult, it’s too big for QtNetwork
*** no guarantee that we’ll get a “library” interface
** libcurl:
*** they’re behind us
* <span class="caps">SPDY</span> / <span class="caps">HTTP</span>/2.0:
** <span class="caps">HTTP</span>/2.0 adopted <span class="caps">SPDY</span> 3.0’s transport format
*** we can start supporting <span class="caps">SPDY</span> to get on our way to <span class="caps">HTTP</span>/2.0
** libcurl has started

Revision as of 14:08, 25 February 2015

Qt Network Session – Qt Contributors Summit 2013

Talking Points

  • Option to add random padding to https requests. This makes us more resistant to the various https attacks that have been floating around. * X-Qt-Padding: some noise of varying length *Recommendation 3 from http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
  • Who is working on the stack?
  • What’s up with the constant failing tests in the CI, and how can we fix the situation?
  • Support for diffie-hellman ciphers
  • Support for redirects
  • Pause on connect
  • Performance
  • Peter’s chromium qnam port
  • Automatic fallback support
  • Certificate store API / Caching intermediates
  • OCSP support
  • Replacing the QNAM disk cache
  • HTTP 2.0 / SPDY support
  • Web sockets
  • Enginio and Qt network
  • Webkit2 and custom QNetworkAccessManagers

Off topic, but related:

  • PBKDF2 / BCrypt support (QtCore really)
  • Should we warn if running as root? If running suid?

Notes by Thiago:

  • DH key exchange
    • no public API
    • easy to implement, hard to test
  • OCSP
    • adds latency: needs to query the OCSP server
    • Richard implemented one year ago
    • still works, but hasn’t worked on it in a while
    • enabled by default
    • QSslSocket level
  • Certificate store:
    • storing intermediate certs from broken servers that don’t return the whole chain
    • browsers do that to work around issues in the wild
    • adds security
    • certificates are not trusted, so they don’t add a new security attack vector
    • virtual QSslCertificate QAbstractSslCertificateStore::certificateForId(QSslCertificateId)
  • QNAM redirects
    • discussed in the DD Contributor Day
    • vector for insecurity (users do it wrong)
    • should be configurable
    • we don’t need to fix this for the browser case → they already have the code
    • we need it only for the simple application cases
    • allow redirect from HTTP to HTTPS, allow within-protocol
    • could work with pausing
    • readyRead & metaDataChanged from the final, sslErrors per connection
  • Pause on connect:
    • Already discussed, implementation challenges and details known
    • Work is missing (Peter doesn’t have time)
  • Performance: latency problems
    • Helped by the pre-connect
  • Replacing QNAM port:
    • With Blink:
      • difficult, it’s too big for QtNetwork
      • no guarantee that we’ll get a “library” interface
    • libcurl:
      • they’re behind us
  • SPDY / HTTP/2.0:
    • HTTP/2.0 adopted SPDY 3.0’s transport format
      • we can start supporting SPDY to get on our way to HTTP/2.0
    • libcurl has started