Why IE Is So Fast ... Sometimes

safrit writes "Finally the scoop on how IE "cheats" a little to up its performance! Do RFCs mean nothing anymore? What's next, Riots in the streets, dogs and cats living together, mass hysteria! From the blog story: 'Internet Explorer on Windows always seems either to run impossibly fast (page requests are fulfilled almost before the mouse button has returned to its original unclicked position), or ridiculously slow...' Now read to see why..."

This isn't what I'm seeing

[beezly]

Ok, I've only been able to read the copy of the blog from that which has been pasted in these Slashdot replies (i.e. I might have missed some of the story), but I've just tried this out and it's not what I'm seeing at all. Between an IE6/XP machine and my Apache box...

21:54:48.351781 10.0.0.29.4109 > 10.0.0.5.www: S 3610909795:3610909795(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
21:54:48.352052 10.0.0.5.www > 10.0.0.29.4109: S 4178252606:4178252606(0) ack 3610909796 win 5840 <mss 1460,nop,nop,sackOK> (DF)
21:54:48.352202 10.0.0.29.4109 > 10.0.0.5.www: . ack 1 win 64240 (DF)
21:54:48.352400 10.0.0.29.4109 > 10.0.0.5.www: P 1:243(242) ack 1 win 64240 (DF)
21:54:48.352528 10.0.0.5.www > 10.0.0.29.4109: . ack 243 win 6432 (DF)
...
...
...

Which appears to be a perfectly standard SYN->SYN->ACK handshake at the beginning. Also, do IE5.5/6 support HTTP pipelining? Surely this would explain the web browser not tearing down connections in between HTTP commands. Mozilla supports it! :) ... or maybe I've just not understood the blog entry correctly!

Re:This isn't what I'm seeing

[Panoramix]

Thank you for posting that dump. The first thing I thought of was sniffing my ethernet myself, just to see if this was true. Regrettably, I have no Windows machines available here to test with (never imagined that I would ever think of this as 'regrettable' :-).

Anyway, I'm having a really hard time believing this story. I just can't get me to think that such a nasty hack would have gone unnoticed for years (the article speaks of years). I mean, think of the security holes it would open! The many router and firewall mysterious misbehaving it would trigger. And no sysadmin, or lowly script kiddie noticing this? It just can't be.

I'd love to have information on how to reproduce this, and see it for myself on my network. Yes I'd put Windows and (yuck) IIS in one of my boxes, for a couple of hours, to run this test. But until I can see it myself, or read about it in Bugtraq, I won't believe it, and will be ashamed that Slashdot is publishing it without a big note stating at the very least that "this may be not true".

Really, even though I'm a GNU/Linux user, the kind that actually uses the "GNU/Linux" tag from time to time, and that I love Mozilla and all, if find this just as low as the best FUD Microsoft has come up with in their dirty history.

FTP the same?

[Shelled]

A custom application we run at work makes use of the IE ftp client to make automated connects to our ftp server. Any other client, Linux or Windows, disconnects from the server on shutdown. IE or the IE-based ftp client don't, even if you exit IE. Because of this we've been forced to set a session idle timeout of 1 minute on the server to avoid hanging connections. Is this another example of the same technique, client-side?

Re:FTP the same?

[Guppy06]

"even if you exit IE."

There's your problem. From IE 4.0 onwards, there's only one way to exit IE: You shut down Windows. Just ask the attorneys that testified before Judge Jackson.

Re:Persistent Connections

[xcomputer_man]

Err, I don't think so. From what I've read about HTTP KeepAlive, the connection should be kept alive by adding a "Connection: KeepAlive" header to the request or something like that. I can't imagine any reason why any protocol should want to interfere with the TCP handshaking sequence for keepalive purposes. That would mean crossing out of the application layer into the transport layer.

This issue caused me a lot of grief last year, and I am just figuring out why. We set up a webmail server using Apache/Vhosts and OpenSSL, and we had this recurring problem of links just suddenly breaking in IE ... It'd just return "Page could not be loaded" or something like that. The problem never cropped up in Mozilla or other browsers, and eventually I found out that if I added this line:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

to the virtual host configuration, the problem went away. Now that I've read this article, I think I understand why. What I think is happening here is that Microsoft trying to make the most out of keepalive/persistent connections by bending the rules. And it's not right.

This is NOT the standard HTTP 1.1 keepalive

[Admiral+Burrito]

If this is what I think, namely that IE doesn't close the connection after getting the response, the author may want to look into HTTP 1.1 and this thing called "persistent connections". If a browser expects to make multiple requests from a server, the browser is allowed to leave the connection open and make further requests over it.

You might want to look into HTTP 1.1 as well. In fact, so should Microsoft, because (if the article is accurate) they've apparently re-invented the wheel in square form.

Standard HTTP 1.1 keepalive still uses a regular, plain, vanilla TCP connection. No FIN packets until the connection actually is finished. It simply doesn't close the connection, allowing further requests on the same connection (because the connection is still open). The connection is closed - using the standard methods - when one side decides to close the connection (eg. after a timeout).

What is described in the article is a bastard half-closed connection, which is completely unnecessary unless your goal is gratuitous violation of the TCP spec.

Re:Cut n Paste

[Sunda666]

Unless they are *not* using the standard sockets interface... rather using some undocumented hack inside win32 that does this (hey, linux has something like this, its called the "Packet Generator"(LOL), but it is atleast documented (and has its usage higly counter-recommended)). Man, if this is the case, I see some ppl getting pretty pissed off. Thats why closed-source monopoly software is not a Good Thing (TM). Anyone remember the stories about M$ using undocumented windows APIs in Office to be faster than the competition?

cheers.

i'd like to see...

[drDugan]

something I can run on my apache server that rejects clients that don not follow the rfc for tcp/ip, and hence rejects ie

I've toyed with blocking based on agent string, but that seems cruel and stoops to the level of MS...(who do this regualrly) and besides, it goes against my beliefs of software choice... however, it would be nice to redirect peopel to a page that says, "Your browser is not standards-compliant"

Even more interesting.....

[inKubus]

What is much more interesting is what IE does AFTER it sends that first request without opening the connection... You know the lovely MSN Search page it loves to pop up? Everytime IE encounters (for the first time in each session) a non-IIS server, it promptly connects to MSN Search and submits the website address....

You are being watched, friends.

Re:DNS is a possibility

[MillionthMonkey]

When trying to connect to an address of form 1.2.3.4, the program would halt for some twenty-thirty seconds before proceeding.

IIRC this was a problem with Sun's implementation of InetAddress.getByName() on Windows. When passed a string containing a dotted numeric quad, it stupidly tried to do a DNS lookup on it instead of simply filling in the four bytes and handing you an InetAddress. Because who knows- maybe someone registered "192.168.1.23" as a domain name! (Which would be akin to registering "microsoft.com" with a Cyrillic "o", but never mind.) Then of course your thread stalled inside InetAddress for half a minute while it waited for the DNS timeout. This makes me suspect that Sun's code was waiting for the successful DNS response and ignoring the failure response that actually arrived. Probably the same moron was responsible for both bugs. Editing the hosts file became the standard workaround.

I don't know when it got fixed but there's code in there to check for a dotted quad now.

Data after FIN shouldn't be allowed

[Krellan]

The 4 steps when the server finishes sending data and closes the connection, from the article:


Client Server
<-- FIN
ACK -->
FIN -->
<-- ACK


When the server has no more data, it sends FIN.

The server should not be allowed to send more data after the FIN! This is a violation of the TCP spec. Otherwise, how would clients truly know whether or not the server had more data to send?

TCP does support something called "half close". It is possible to indicate that you have no more data to send, but that you are still willing to receive data. This is why both sides must send FIN, in order to cleanly close the connection. If one side sends FIN but the other doesn't, the connection remains open, but data can only flow in one direction (sending from the side that did not send the FIN). This is useful for cleanly shutting down connections and making sure that both sides receive all the data they were expecting.

In the example from the article, when the client receives a FIN but does not send a FIN of its own, this is legal: the TCP connection now is one way, and data can only be sent from the client to the server. The server is not allowed to send more data. So, if IIS is doing this, it is breaking the spec. It is important to note that the client is doing nothing wrong in this case.