Why IE Is So Fast ... Sometimes

safrit writes "Finally the scoop on how IE "cheats" a little to up its performance! Do RFCs mean nothing anymore? What's next, Riots in the streets, dogs and cats living together, mass hysteria! From the blog story: 'Internet Explorer on Windows always seems either to run impossibly fast (page requests are fulfilled almost before the mouse button has returned to its original unclicked position), or ridiculously slow...' Now read to see why..."

I wish I could...

[crashnbur]

...but the site has already been slashdotted! I suppose I'll just read it late tonight after the "mass hysteria" has settled.

Re:I wish I could...

[Sayjack]

Hmm...wierd, IE displayed the site before I even thought to click on the link.

Re:I wish I could...

[IIRCAFAIKIANAL]

I dunno about that, but IE seems to think I want six windows open when I click one link. It also thinks I want to go on a diet, optimize my system, punch a monkey, and meet women, judging by the windows I get. Wierd shit, dude...

down before first post?

[stephenisu]

The same powers that make IE impossibly fast also made this site crash impossibly fast. :)

Re:down before first post?

More like, the powers that keep slashdot editors from telling people they're going to be linked caused perl to suck up all our CPU. Nothing crashed, the proc was simply pegged until I woke up and fixed it.

It's back up with a redirect for slashdot.

Umm..

[fluxrad]

kind of like how that blog link is coming up incredibly slow?

;-)

Cut n Paste

[dogbowl]

Straight from the site.......

Internet Explorer on Windows always seems either to run impossibly fast (page requests are fulfilled almost before the mouse button has returned to its original unclicked position), or ridiculously slow (as with the weird stalling-on-connect problem that many people, including myself, have noticed).

One possible explanation is something that my team and I noticed a couple of years ago, in analyzing packet traces of IE's connection setup procedure. Microsoft might have fixed this since then; I'm not sure. But it's a possible culprit.

First of all, for those rusty on their TCP/IP-- here's how a normal HTTP request over TCP should work:

Client Server
1. SYN ->
2.
4. Request ->

This is how the client and server synchronize their sequence numbers, which is how a connection gets established. The client sends a synchronization request, the server acknowledges it and sends a synchronization request of its own, and the client acknowledges that. Only then can the HTTP request proceed reliably.

The server's SYN (synchronize) and ACK (acknowledgement) packets are combined for speed; there's no reason to send two separate packets, when you're trying to get a connection established as quickly as possible. Another speed enhancement that Mac OS 9's stack uses, by the way, is to combine the client's ACK and the HTTP request into a single packet; this is legal, but not frequently done. The idea is that within the structure of TCP/IP, you want to minimize the number of transactions that need to take place in setting up the two-way handshake necessary before you can send the HTTP request.

When tearing down a connection, it looks like this:

Client Server
1.
3. FIN ->
4.
Uh... what? Dunno what the hell this is. I'll ignore it, or RST.
2. Oh, you're a standard server. Okay: SYN ->
3.
5. Request ->

In other words, instead of sending a SYN packet like every other TCP/IP application in the world, IE would send out the request packet first of all. Just to check. Just in case the HTTP server was, oh, say, a Microsoft IIS server. Because IIS' HTTP teardown sequence looked like this:

Client Server
1. ...And that's it. The client doesn't FIN, and the server doesn't ACK. In other words, the connection is kept "half-open" on the server end. The reason for this? Why, to make subsequent connections from IE clients faster. If the connection isn't torn down all the way, all IE has to do is send an HTTP request, with no preamble-- and the server will immediately respond. Ingenious!

They probably called it "Microsoft Active Web AccelerationX(TM)®" or something.

(I may be remembering this incorrectly; it might be that the client does FIN, and the server simply keeps the connection around after it ACKs it. Instead of shutting down the connection entirely, it just waits to see if that client will come back, so it can open the connection back up immediately instead of having to go through that whole onerous SYN-SYN/ACK procedure. Damn rules!)

Now, what does this mean for non-IIS servers? It means that if you use IE to connect to them, it first tries to send that initial request packet, without any SYNs-- and then it only proceeds with the standard TCP connection setup procedure if the request packet gets a RST or no response (either of which is a valid way for a legal stack to deal with an unsynchronized packet). But IIS, playing by its own rules, would respond to that packet with an HTTP response right away, without bothering to complete the handshake. So IE to IIS servers will be nice and snappy, especially on subsequent connections after the first one. But IE to non-IIS servers waste a packet at the beginning of each request-- and depending on how the server handles that illegal request, it might immediately RST it, or it might just time out... which would make the browser seem infuriatingly slow to connect to new websites.

This is only marginally less stupid than RunTCP's "solution"-- and I say "marginally" only because in the grand scheme of things, this probably makes sense to Microsoft's network engineers. After all, eventually all clients will be Windows platforms running IE, and all servers will be Windows platforms running IIS. And then we can break all kinds of rules! Rules are only there to hold us back and force us to play nice with other vendors. Well, once the other vendors are all gone, who cares about some stupid RFC?

I have to admire their arrogance and their confidence. But it'll be some time before I can bring myself to admire their technical integrity.

Re:Cut n Paste

[Afrosheen]

One thing looked familiar to me:

" Client Server
1. SYN ->
2.
4. Request ->"

That's very similar to the working of the infamous underpants gnomes.

1. Collect underpants
2. ?
3. Profit!

Re:Cut n Paste

I think what we're seeing is the use of the HTTP Keep-Alive which is part of the HTTP 1.1 standard. Am I wrong?

Re:Cut n Paste

[Todd+Knarr]

If this is what I think, namely that IE doesn't close the connection after getting the response, the author may want to look into HTTP 1.1 and this thing called "persistent connections". If a browser expects to make multiple requests from a server, the browser is allowed to leave the connection open and make further requests over it. If the server doesn't support persistent connections, it's free to close it's end of the connection. The browser is supposed to see this, close it's end and open a new connection for the next request, but it's possible IE is simply assuming persistent connections and only doing the close-and-reopen when it sees an error sending the additional requests. My guess is that they combined error-recovery ("the connection died, close it, open a new one and retry the request") with handling servers that don't support persistent connections ("server closed the connection, close our half and open a new one for this request").

Re:Cut n Paste

[StarTux]

What RFC means to MSFT:

Rules For Cowards.

Maybe this is what they mean by innovation? We all what they really mean by innovation:

"Screw the Open Standards, we will create our own Standard, but make it secret!".

Re:Cut n Paste

[Randolpho]

So that would be:

1) Rewrite TCP
2) ???
3) Speed boost!

Re:Cut n Paste

[AntiNorm]

What RFC means to MSFT:

"Rules For Competitors." Not for themselves.

Re:Cut n Paste

[JSmooth]

Granted I cannot read the actual article as the site is down by based on the above:

This is fuzzy math. I do not like IE/IIS any more than the next guy but if the server to leave a half open connection on IT's side two things would happen.

#1 The client's TCP stack (not IE, the stack) would have no idea that this connection was still open and would send a new SYN as soon as the user selected another link. This new request would have a different sequence number (probably source port as well) and would have to do the THREE-WAY handshake (SYN - SYN/ACK - ACK). Negating any benefit

#2. Those 1/2 open connections on the server use resources. Any host has a limit to the # of connection it can maintain at which point it stops accepting new ones (Check out how syn-floods work!) that means if this were true IIS server would need to be restarted constantly to clear these buffers.

Re:Cut n Paste

[Bert64]

Not only that, but blind spoofing would be trivial...
not that windows isnt already far easier to blind spoof on than any other modern os.

Re:Cut n Paste

[dws]

I think what we're seeing is the use of the HTTP Keep-Alive which is part of the HTTP 1.1 standard. Am I wrong?

IE does use Keep-Alive, but that's much higher up the protocol stack, and is a separate issue from taking shorcuts when setting up a low-level connection.

Keep-Alive merely provides a means for a browser to signal to the server that additional requests will follow on the same socket. If the server plays along, it will both leave the socket open at the end of the request, and will signal the browser by returning an appropriate header. This saves a lot of extra socket setup and tear-down, but is independent of whether the socket is set up correctly, or by a dubious short-cut.

Re:Cut n Paste

[FurryFeet]

Of course, the real Grail would be to solve:
1. Karma
2. ???
3. Profit!

Re:Cut n Paste

[Ivan+Raikov]

#1 The client's TCP stack (not IE, the stack) would have no idea that this connection was still open and would send a new SYN as soon as the user selected another link. This new request would have a different sequence number (probably source port as well) and would have to do the THREE-WAY handshake (SYN - SYN/ACK - ACK). Negating any benefit

True, but suppose they hacked their TCP stack to recognize a magic SYN number, and bypass the three-way handshake if the client sends this magic number. Improbable? IE is part of the Windows kernel, so what's to say it doesn't poke directly in the TCP/IP stack. Wild speculation, I know.

Re:Cut n Paste

[Bodhidharma]

I run a bunch of Apache/mod_ssl servers for WebCT, an online course management tool. We have to disable keepalives for IE users because otherwise their connections get hosed up.

I wonder if this habit of playing fast and loose with the protocol is responsible.

Re:Cut n Paste

[damiam]

Steps:

2.1. Invent time machine 2.2. Go back to before the time of the Karma Cap 2.3. Whore madly for karma 2.4. Leave the account dormant until now 2.5. Sell 300-karma account on eBay to an infamous troll 3. Profit!!!

Re:Cut n Paste

[Sunda666]

Hmmm this smells bad to me.

I am no TCP guru, but this looks a bit odd. From the text I understand they say IE establish a connection without sending a SYN packet....
I may be wrong, but this is totally impossible to do over TCP/IP. SYN is required, in order to establish a new TCP sequence and inform the server that it is a *NEW* connection, not something related to an old one.
If all this guy claims is true, the screwup is below IIS and IE. It is in the windows TCP/IP stack. And I am really puzzled how they manage to do connection tracking this way. Ah, and for sure, if it really works this way, it can't be called TCP/IP.

Ofcourse if it just opens the connection in a normal SYN way and keeps it open for all the HTTP requests, nothing is wrong. These are new features of HTTP/1.1 called keep-alive and pipelining, and even Mozilla supports them (check preferences/advanced/HTTP networking).

cheers

Re:Cut n Paste

[Sunda666]

Unless they are *not* using the standard sockets interface... rather using some undocumented hack inside win32 that does this (hey, linux has something like this, its called the "Packet Generator"(LOL), but it is atleast documented (and has its usage higly counter-recommended)). Man, if this is the case, I see some ppl getting pretty pissed off. Thats why closed-source monopoly software is not a Good Thing (TM). Anyone remember the stories about M$ using undocumented windows APIs in Office to be faster than the competition?

cheers.

Re:Cut n Paste

[CableModemSniper]

RFC = Read, Forget, Change?

Re:Cut n Paste

[Black+Copter+Control]

If you accept MS's claims that IE is now inseperable from the OS as a whole, then you're getting pretty close to being in kernel land. Once you get there, it's pretty easy to just start putting special hooks that allow IE to randomly mess with how the TCP stack works.

Remember: the same company that wrote MSIE wrote MS-Windows. Just because most normal programs aren't able to mess with TCP sequences doesn't mean that IE's programmers don't know something that we don't.

Re:Cut n Paste

[einhverfr]

that means if this were true IIS server would need to be restarted constantly to clear these buffers.



Of course, the connections would eventually time out, negating this effect to some extent. But I wonder how the hacks of standards play out into the general performance of the product.

Re:Cut n Paste

[evocate]

Lucas Star Wars plan
1. Natalie Portman
2. ?
3. Profit!
--
sed 's/commun/terror/g' mccarthy > bush

Re:Cut n Paste

[crisco]

Doesn't a great deal of spyware tie into the TCP stack? Or am I thinking of something that happens at a higher level? I thought thats why bad things happened when you just simply deleted certain spyware .dlls, that they had their hooks too deeply in the network stack.

Re:Cut n Paste

[ceejayoz]

I dunno, knowing the SW fanbase, I'd say it's more like:

1. Natalie Portman
2. Profit!

Re:Cut n Paste

[jonadab]

The original poster who said that IE is "in the kernel" probably
meant that IE is part of the internal guts of how Windows works.
That probably means he has it mixed up with Windows Explorer, but
that would be an easy mistake to make, especially if you've never
seen earlier versions of the two programs from before they started
sharing display libraries and WE started rendering HTML (c1998).

IE didn't _used_ to install a driver as such, but I haven't installed
a recent version of IE. (I've used IE6, but it was preinstalled.)

Anyway, what the article describes isn't totally clear, but if I
understood correctly, it's not talking about IE _really_ trying to
send a request packet where no connection has ever been set up, but
rather about the issue first being noticed as a result of a trace
that showed behavior that _appeared_ to be that -- which it would,
if the server closed the connection and IE pretended it was still
open and tried to use it. I suspect that's what's really happening,
but if you jump in in the middle you see that there's nothing on
the server end in the way of a connection and this unsynchronised
request packet appears out of the blue, _as if_ IE were skipping
the handshake -- but perhaps it really just never closed its end
of an earlier connection.

As far as whether that violates the TCP, you'd have to ask a TCP
guru, which I'm not. If it did violate TCP, I can easily believe
Microsoft might do it anyway, but I'm not ready to assume that it
violates the protocol without checking, since many protocols leave
room for behaviors that are not usually done, and it could be that
Microsoft followed the protocol in a different way from others.

Re:Cut n Paste

[Markus+Landgren]

How about this one?

1. Sell anthrax and other biological weapons to Saddam Hussein.
2. Wait a few years.
3. "Discover" that Iraq owns weapons of mass destruction, and start a war against them.
4. Replace their nasty military dictator with a friendly military dictator.
5. Steal their oil.
6. Profit!

No, wait...
There is no "?" in that one.

Re:Cut n Paste

[unitron]

Are you sure those aren't the

Proprietary Internet Microsoft Protocols?

Re:Cut n Paste

[unitron]

"...now to figure out exactly how much a jigawatt really is."

That's just the "phonetic" spelling of the proper pronunciation of gigaWatt (which I think is one thousand megaWatts). The root word is "gigantic" (or whatever the word gigantic is based on), hence the "j" sound. And yes, you have been mispronouncing gigabyte and gigaHertz all this time as well. But then, so have I.

Mozilla is quick too...

[nother_nix_hacker]

...but I think thats because during the build process it caches the entire web, hence the build time!

http://grotto11.com/blog/?+1039831658

18:07 - What makes IE so fast?

(top) Internet Explorer on Windows always seems either to run impossibly fast (page requests are fulfilled almost before the mouse button has returned to its original unclicked position), or ridiculously slow (as with the weird stalling-on-connect problem that many people, including myself, have noticed).

One possible explanation is something that my team and I noticed a couple of years ago, in analyzing packet traces of IE's connection setup procedure. Microsoft might have fixed this since then; I'm not sure. But it's a possible culprit.

First of all, for those rusty on their TCP/IP-- here's how a normal HTTP request over TCP should work:

Client Server 1. SYN -> 2. <- SYN/ACK 3. ACK -> 4. Request ->

This is how the client and server synchronize their sequence numbers, which is how a connection gets established. The client sends a synchronization request, the server acknowledges it and sends a synchronization request of its own, and the client acknowledges that. Only then can the HTTP request proceed reliably.

The server's SYN (synchronize) and ACK (acknowledgement) packets are combined for speed; there's no reason to send two separate packets, when you're trying to get a connection established as quickly as possible. Another speed enhancement that Mac OS 9's stack uses, by the way, is to combine the client's ACK and the HTTP request into a single packet; this is legal, but not frequently done. The idea is that within the structure of TCP/IP, you want to minimize the number of transactions that need to take place in setting up the two-way handshake necessary before you can send the HTTP request.

When tearing down a connection, it looks like this:

Client Server 1. <- FIN 2. ACK -> 3. FIN -> 4. <- ACK

This generally takes four steps, and the FIN/ACK packets are usually not consolidated because connection teardown is nowhere near as speed-sensitive as startup is. (The FIN sequence can be initiated either by the client or the server.)

Many very stupid companies have tried to come up with overly clever ways to speed up TCP/IP. TCP, by its nature, is a stateful and bidirectional protocol that requires all data packets to be acknowledged; this makes the data flow reliable, by providing a mechanism for dropped packets to be retransmitted; but this also makes for a more strictly regimented flow structure involving more packets transmitted over the wire than in simpler, non-reliable protocols like UDP-- and therefore it's slower. One company that thought itself a lot smarter than it really was, called RunTCP, came up with the idea of "pre-acking" TCP packets; it would send out the acknowledgments for a whole pile of data packets in advance, thus freeing them from the onerous necessity of double-checking that each packet actually got there properly. And it worked great, speeding up TCP flows by a significant margin-- in the lab, under ideal test conditions. The minute you put RunTCP's products out onto the real Internet, everything stopped working. Which stands to reason-- their "solution" was to tear out all the infrastructure that made TCP work reliably, under competing load and in adverse conditions, in the first place. Dumbasses.

So then there's this thing we discovered in the lab. We noticed that when you entered a URL in Internet Explorer 5, its sequence of startup packets didn't look like the one shown above. Instead, it looked like this:

Client Server 1. Request -> Uh... what? Dunno what the hell this is. I'll ignore it, or RST. 2. Oh, you're a standard server. Okay: SYN -> 3. <- SYN/ACK 4. ACK -> 5. Request ->

In other words, instead of sending a SYN packet like every other TCP/IP application in the world, IE would send out the request packet first of all. Just to check. Just in case the HTTP server was, oh, say, a Microsoft IIS server. Because IIS' HTTP teardown sequence looked like this:

Client Server 1. <- FIN 2. ACK ->
...And that's it. The client doesn't FIN, and the server doesn't ACK. In other words, the connection is kept "half-open" on the server end. The reason for this? Why, to make subsequent connections from IE clients faster. If the connection isn't torn down all the way, all IE has to do is send an HTTP request, with no preamble-- and the server will immediately respond. Ingenious!

They probably called it "Microsoft Active Web AccelerationX(TM)®" or something.

(I may be remembering this incorrectly; it might be that the client does FIN, and the server simply keeps the connection around after it ACKs it. Instead of shutting down the connection entirely, it just waits to see if that client will come back, so it can open the connection back up immediately instead of having to go through that whole onerous SYN-SYN/ACK procedure. Damn rules!)

Now, what does this mean for non-IIS servers? It means that if you use IE to connect to them, it first tries to send that initial request packet, without any SYNs-- and then it only proceeds with the standard TCP connection setup procedure if the request packet gets a RST or no response (either of which is a valid way for a legal stack to deal with an unsynchronized packet). But IIS, playing by its own rules, would respond to that packet with an HTTP response right away, without bothering to complete the handshake. So IE to IIS servers will be nice and snappy, especially on subsequent connections after the first one. But IE to non-IIS servers waste a packet at the beginning of each request-- and depending on how the server handles that illegal request, it might immediately RST it, or it might just time out... which would make the browser seem infuriatingly slow to connect to new websites.

This is only marginally less stupid than RunTCP's "solution"-- and I say "marginally" only because in the grand scheme of things, this probably makes sense to Microsoft's network engineers. After all, eventually all clients will be Windows platforms running IE, and all servers will be Windows platforms running IIS. And then we can break all kinds of rules! Rules are only there to hold us back and force us to play nice with other vendors. Well, once the other vendors are all gone, who cares about some stupid RFC?

I have to admire their arrogance and their confidence. But it'll be some time before I can bring myself to admire their technical integrity.

First Post...

[Groganz]

Ah, damn Mozilla.

Re:First Post...

[Sabbath.sCm]

Should have used IE for that. ;)

Nothing new really

Heck, IE still uses an HTTP Accept line with */* at the end without quality ratings rather than a more complete one, like Mozilla's. Reason? It saves a few bytes.

Example:
IE 6/Win: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*

Mozilla: application/x-shockwave-flash,text/xml,application /xml,application/xhtml+xml,text/html;q=0.9,text/pl ain;q=0.8,video/x-mng,image/png,image/jpeg,image/g if;q=0.2,*/*;q=0.1

Opera is Worse

[checkitout]

For Opera to get it's "Fastest browser on earth" title, it caches EVERYTHING. Even things that aren't supposed to be cached like SSL pages.

Re:Opera is Worse

[doowy]

For Opera to get it's "Fastest browser on earth" title, it caches EVERYTHING. Even things that aren't supposed to be cached like SSL pages.

Opera also renders super fast. Even going through local pages or cache, the difference is noticeable to me (admittedly, on an outdated machine - but saying I should need a P4 to browse the web is silly).

Opera isn't worse. It's better. Definitley less bloat. It CAN render faster. And if I understand the article correctly (I actually read it) then it means this:

• IE retrieves faster from IIS servers.
• IE retrieves SLOWER from all non-IIS servers.

Common slashdot propoganda suggests MOST servers are not IIS. This would mean Opera can retrieve faster on average.. and I'm fairly certain it can render the page for display quite a bit faster.

P.S. You can turn off caching in the options if it really bother you.

Re:Opera is Worse

[tshak]

Bzzzt... wrong. You can disable all caches, including RAM caches, and the performance hit is only noticed when you go back to pages that you've already been too. Opera is still extremely fast - there's a reason it's packaged in a 3MB binary.

Re:Opera is Worse

[youBastrd]

Having switched over to Opera for research, work and school, I've noticed Opera is fast to *use*. That is, tabbed browsing, mouse gestures, and a well thought-out interface makes Opera more efficient to use. The raw TCP performance is not the bottleneck, the user is.

Re:Opera is Worse

[MrEd]

Common slashdot propoganda suggests MOST servers are not IIS.

So does some non-slashdot propaganda.

Re:Opera is Worse

[toriver]

Nonsense. Opera gets its speed by opening multiple connections as it encounters e.g. an IMG or whatever element that requires a separate download.

security

[agurkan]

Does anyone know if this sequence is there for security purposes? It looks like this might lead to a spoofing vulnerability.

Re:security

[TheMidget]

Does anyone know if this sequence is there for security purposes? It looks like this might lead to a spoofing vulnerability.

Indeed, it makes spoofing much easyer: no need to bother with sequence number guessing, just send your data packet right away, and pretend the connection is already open. This, combined with the fact that many IIS servers are often full of SQL-injectionable scripts should provide for great phun! Who needs open proxies when you can spoof so easily?

Re:security

[nonane]

> no need to bother with sequence number guessing, just send your data packet right away, and pretend the connection is already open.

wrong. you still need to know the sequence number of the stream from the client to the server if you are going to send a packet. otherwise the server will drop the packet.

Re:security

[Reziac]

No one seems to have taken your question seriously, but I'll admit that was my very first thought on reading the article -- "What happens when IE encounters a server that only *claims* to be of the Microsoft IIS species?? How easy is it to fool??"

Anyone tested it?

Re:security

[nahdude812]

The server makes no explicit claim to be IIS. Instead it takes steps on its end to enable users to take advantage of half-open connections to avoid the normal handshake. IE tries the non-handshake connection, if it works, super, if it either gets rejected, or times out, then it tries the traditional method.

There is no explicit claim being made, rather it's more like walking up to a bank teller and saying "I'd like $100 please." If s/he then says "I'm sorry, first I'll need your account number," or stares back at you blankly, then you'll give her/him your account number, and proceed with the transaction as you were intended to do from the start. Perhaps she recognized you though (half-open connection), and was able to allow you to get by with out the handshake of account information. Bank policy (RFC's) requires her to ask your account number, but she sidestepped that.

Re:security

[Reziac]

Okay, I see. Now, what if the server does this, gets IE's "confidence" so to speak, then is this exploitable at all?

[I don't use IE because I dislike its general way of working so much, so in my case the question is purely academic.]

Re:security

[nahdude812]

No, IE never acts any differently toward any server over another. It tries the "fast connect" method, if that fails, it goes for a regular connect. It has no idea what the remote server is, but the fast connection either works, or it doesn't. This is no more exploitable than any standard connection process, in that this provides no more ability for a 3rd party to intercept or interfere with the connection, nor any more ability for the actual server to send back malicious data. Either the server responded to the fast connection (success) or it didn't (IE will try standard connections)

1 packet????

[rollthelosindice]

So you are trying to tell me that the reason IE is sometimes unbelievably fast is because of 1 packet on a handshake?

I find this hard to believe, and also very un-newsworthy.

Re:1 packet????

[GMC-jimmy]

Not just 1 packet..

The way I understood it was there's 2 forms of communication going on between the client and server. For simplicity, I'll use an analogy.

It's sort of like making a telephone call in 1 of two ways:

The first way - Call a friend on the phone, and have an entire conversation, but never do the formality of a "Hello" or "Bye" at the beginning or end of the call and don't hang up even if you've run out of things to say.

The second way - Call a friend on the phone, but ring them individually for each and every word of the entire conversation, and be sure to include the formality of "Hello" and "Bye" with each and every call.

Maybe I have a wierd way of reading this, but that's what I got out of it.

keepalive protocol?

[ItalianScallion]

i wonder about the relationship between this and the standard keepalive protocol, which basically is a standard that keeps a connection open for a certain amount of time so the browser doesn't have to keep opening new tcp connections for each image or whatever.
i would assume that the keepalive protocol reduces the ill effects of this system, since once a connection is made it doesn't have to be torn down and reestablished, or at least not for each request.

Re:keepalive protocol?

[dnoyeb]

Yes I think so. Many are saying, "why doesent the server just dump the conn?" Well its the server who has the load and its time is precious. It would prefer not to have to reopen a connection if it can keep it open. Saves time to keep it open. Clients are relatively unloaded when their users are browsing, its a leisurely activity.

So M$ is abusing the servers trust. Otherwise I didnt hear any really down side to what they are donig. Maybe others should just even it up by joining them. Of course protocols were designed that way for a purpose...

Sounds pretty decent...

[Randolpho]

Let the flames commence, because I *do* think it's ingenious.

Essentially Microsoft is rewriting TCP to make it UDP-like by sacrificing TCP's guaranteed delivery for a speed boost. Since HTTP is essentially stateless, this doesn't sound like an overly bad idea.

I do have one question, however; how is it that Internet Explorer is able to rewrite TCP rules? Doesn't it use win32's TCP service? Or does it call a different, special TCP service?

Re:Sounds pretty decent...

[httpamphibio.us]

great post, wish i had mod points... i'd love to see this question answered.

Re:Sounds pretty decent...

[gilroy]

Blockquoth the poster:

this doesn't sound like an overly bad idea.

Hmmm. Deliberately breaking -- oh, I'm sorry, "rewriting" -- one of the core technologies of the Internet, without telling anyone and in such a way as to pad their speed numbers? Nah, nothing wrong about that...

Re:Sounds pretty decent...

[Moridineas]

to pad their numbers? If it gives a verifiable speed increase and makes IE "so fast" as the article says, what's wrong with that?

Re:Sounds pretty decent...

[Randolpho]

Hmmm. Deliberately breaking -- oh, I'm sorry, "rewriting" -- one of the core technologies of the Internet, without telling anyone and in such a way as to pad their speed numbers? Nah, nothing wrong about that...

And what's wrong with that? It doesn't break the internet, and it clearly boosts speed. I'll grant you that it seems to only gives a boost with IE talking to IIS, and appears to be a slowdown for any other combo; perhaps MS could have done a better job by releasing the specs so that other webservers could take advantage of the speed boost.

But they are a business trying to gain a foothold in a market dominated by other platforms; it isn't a bad marketing strategy.

Re:Sounds pretty decent...

[nmg]

What's wrong with that? Mozilla didn't think of it first.

Re:Sounds pretty decent...

[evilviper]

Essentially Microsoft is rewriting TCP to make it UDP-like by sacrificing TCP's guaranteed delivery for a speed boost. Since HTTP is essentially stateless, this doesn't sound like an overly bad idea.

Well, because IE leaves server-side connections open, it would make things much more difficult for the server-end, no matter if you run IIS or not. So, it can basically be considered a low-level DoS attack on all non-IIS servers.

Wouldn't you be upset if IE pre-cached all the links in a page, just so users would have a bit of a speed boost? If they wanted IE/IIS to be faster when speaking with each other, why no have them communicate on a different port, instead of casuing problems, and slow-downs on non-IIS servers? Hey, they could use port 80, UDP... That would be faster, and since non-IIS servers won't be using UDP/80, it won't be incorrectly leaving connections open, sending invalid packets, slowing down communications with non-IIS servers, etc.

It's not that they sped things up, it's that they did it in such a way that it causes minor problems for servers that don't use IIS. Sound a little like the Microsoft Java fiasco a little while back? Leveraging their desktop monopoly to sell IIS...

So, this is a overly bad idea, and there are a thousand ways they could have done this better, while not causing problems for non-Microsoft products.

Re:Sounds pretty decent...

[Bert64]

But why rewrite an existing service, why not create HTTP over UDP, with a fallback mode to regular HTTP over TCP incase the client/server cant support the udp mode.

Re:Sounds pretty decent...

[csnydermvpsoft]

Even if the Mozilla team did come up with this idea, it would never be implemented. Why? Standards compliance. That's been their goal from the beginning - they would never break a standard, especially as fundamental as TCP/IP.

This just goes to show the differences between Microsoft and many open source projects. Microsoft didn't care at all about the impacts of this decision - as long as it makes IE and IIS look faster, it's in. However, Mozilla/Apache/etc. aren't willing to sell out.

Re:Sounds pretty decent...

[Moridineas]

Ok, so what IS the impact? What's so terrible about this? That it gives a microsoft browser a speed advantage over a free browser?

Re:Sounds pretty decent...

[baptiste]

Except keep-alive connections are a part of HTTP 1.1. A part that Mozilla doesn't implement, apparently.

You obviously have no clue about networking. keep-alives are implemented at a MUCH higher level, using a keep=alive header to keep the connection open.

The sequences described here are low level packet tweaks which are not RFC compliant at all. They leave connections in a half closed state in case another non RFC compliant request comes in.

SO what happens? It makes IE requests complete faster on IIS, but non IE requests slower due to an extra handshake due to the connection being half closed.

Re:Sounds pretty decent...

[iabervon]

Which makes you wonder: if you can do well enough without guaranteed delivery that a broken TCP is faster under common loads than a working one, why not use UDP? If UDP is good for anything, it's good for stateless, repeatable, brief request/response pairs, which is most of the traffic on the web.

Ideally, web servers would support using UDP and clients would attempt UDP and fall back to TCP if UDP seems to be unreliable (it's easy to tell if you're getting the whole thing, since you know the length of the page from the headers). The reason not to use UDP is that you can't be sure what happened if you don't get a complete response, but it doesn't matter for GET/HEAD requests (POST you do care, otherwise you might submit a form twice): if you don't get a complete response, you want to try again, and a new request isn't different from resending the dropped packet.

Re:Sounds pretty decent...

[baptiste]

Wouldn't you be upset if IE pre-cached all the links in a page, just so users would have a bit of a speed boost?

Mozilla does this now, sort of. If the web page includes specific tags, Mozilla will pre cache those links to give a speed boost. BUT - since it requires tags, its something the web site can enable on a link by link basis

Re:Sounds pretty decent...

[moncyb]

Read the article closly. A request from IE to a non-ms server will take longer than a request from a normal browser using compliant TCP to the same server. This not only gives IE a speed advantage with IIS, it makes non-ms servers appear slower than they actually are when you use IE! The only speed advantage is with IE and IIS. As I remember, this sounds like part of the antitrust case against microsoft.

Re:Sounds pretty decent...

[jericho4.0]

Because if IE does this it would be causing servers to use up resources much more.

In fact the vague article, ease of verification, and obvious implications of this point to this being false.

Re:Sounds pretty decent...

[Dachannien]

Using UDP for HTTP would move error correction up a level in the protocol hierarchy, which means a zillion new methods for error correction would be created. Not a good thing, since they'd all be proprietary and unlikely to follow each others' standards since you'd have web servers written by some people communicating with clients written by other people. On the other hand, TCP includes error correction, and TCP is generally implemented at the kernel/system level rather than the application level. That means no matter which client-server combination is talking, as long as they are riding on a kernel which supports the RFCs for TCP/IP, they are guaranteed to be able to communicate, leaving only HTTP and HTML compatibility up to the application.

Re:Sounds pretty decent...

[dbrutus]

Perhaps it's because for 60%+ of the servers out there, it actually makes things slower and for 100% of the servers, it makes it less reliable.

Re:Sounds pretty decent...

[harlows_monkeys]

I do have one question, however; how is it that Internet Explorer is able to rewrite TCP rules?

Simple: it doesn't. The blog the story referes to is almost certainly wrong. How many thousands of people have packet sniffed IE over the years? You'd think someone would have noticed this before if it were real.

Re:Sounds pretty decent...

[Guppy06]

"Essentially Microsoft is rewriting TCP to make it UDP-like by sacrificing TCP's guaranteed delivery for a speed boost."

Yeah, that's right... reworking a connection-oriented transport protocol so that it functions more like a connectionless protocol. Instead of just... say... using UDP to begin with.

Yeah, ingenious. In a "Rue Goldberg reinvents the wheel" kind of way.

Seriously, instead sending a TCP REQ segment first, why not see if UDP:80 can be used first instead? Microsoft could then rig IIS to respond on UDP:80 requests and, not only would they have the "faster" load times they're looking for, they wouldn't be breaking the internet for other people as well. Unless that's their goal...

Re:Sounds pretty decent...

[gilroy]

Blockquoth the poster:

It seems like this is an attempt to improve performance. The side effect is that the RFC is broken

No. The RFC is the framework. The Internet is a system of systems that can be interlinked because they communicate according to a well-established, public, open framework. No company should be in the "business" in mucking with that. If Microsoft discovered a failing in the RFC -- which, by all appearances, they did not -- then there exists a well-established, well-understood path to fixing the framework.

Here, Microsoft has decided, arrogantly IMHO, that their tiny bit of speed enhancement is worth making the TCP connection less reliable. At the very least this wastes bandwidth; it might also waste human resources as people try to track down a "glitch" in their system that simply isn't there. If Microsoft found that the RFC is "broken", why didn't they tell anyone? Why didn't they try to help "fix" it?

No, this is the same penny-ante, half-assed crap that spawned Windows: Let's use all these undocumented tricks to make our software look better. Standards be damned. Interoperability be damned. Our customers be damned, and by God, the greater public be damned.

For all their talk of information "ecosystems", Microsoft still conducts themselves like a classic slash-and-burn outfit.

Re:Sounds pretty decent...

[p00py]

Well then, I guess we may as well just stop scientific experimentation and curiosity in general, because nothing is left to be discovered.

"Oh, a sarcasm meter, -that's- a useful invention..."

Re:Sounds pretty decent...

[evilviper]

Doubtful. Since IE could still default back to standard behavior in case of a firewall blocking, I don't think it would be a problem.

Since IE is so popular, they could make the change and watch as the port is almost instantly opened on 99% of firewalls. That would put the decision in the hands of the admin, where is should be.

Re:Sounds pretty decent...

[Daniel+Phillips]

But it looks like they found a better way to do things without breaking compatibility, without causing lots of problems, and without causing anything like you describe.

Yes, and for once I agree with you. I'd like to hear arguments from the Apache team about why a new RFC should not be written to enshrine the protocol extension. I can't find anything to hate about the extension at all: clearly nobody is forced to use it.

Now, as described, the extension is not evil, but it could become so, if for instance, Microsoft clients or servers were to use some out-of-band technique to descrimate against non-Microsoft servers or clients, and thus service the protocol extension only between Microsoft products, even if the other side understands it perfectly well. And this is not just paranoia either, since Microsoft is already well-known for discriminating against non-Microsoft web clients connecting to, for example, MSN. Which is pure evil, more so when done by a monopolist, and so far has gone both uncorrected and unpunished. Given such success and considering Microsoft's track record, it's hard to believe that a batch of considerably less laudable protocol extensions are not in the works, or already in the field.

But this protocol extension, I like. Somebody please give *technical* reasons why it is not good. But note: the scalability argument is already rejected, it's bogus. The server does not have to cache the connection when it's under heavy load, it can just drop it and let the client fall back to the vanilla protocol.

As far as I can see, the real problem is that no RFC has been drafted, submitted or proposed, and there's no white paper or anything like that. That's clearly wrong.

Re:Sounds pretty decent...

[StarTux]

"So, this is a overly bad idea, and there are a thousand ways they could have done this better, while not causing problems for non-Microsoft products."

Thats your answer, not only do they make it seem that the upgrade was worth it, but those sites not using IIS *could* be deluged by people claiming *your* site is slow. Well thats what I think they may have hoped.

StarTux

Re:Sounds pretty decent...

[ReTay]

How about because they are not increasing the connection speed. They are causing more traffic
because like it or not IIS is not the majority server out there. There for more often then not they are creating more traffic and slowing down your browsing not speeding it up.
Any other questions?

Re:Sounds pretty decent...

[Baki]

The idea is not bad, but to use TCP out of spec is horrible and inexcusable.

One should have defined a HTTP over UDP instead.

Practical problem with that is that UDP packets may arrive out of order, and may be dropped more easily. HTTP should have provided a (thin) layer above UDP to make it reliable enough for its purposes; which, admittedly, is less than TCP. TCP is a bit of an overkill for HTTP.

HTTP 1.1 has improved this in another way, by reusing connections to the same server. This greatly diminishes the amount of TCP open/close and thus also the advantage/disadvantage of IE's behaviour.

This isn't what I'm seeing

[beezly]

Ok, I've only been able to read the copy of the blog from that which has been pasted in these Slashdot replies (i.e. I might have missed some of the story), but I've just tried this out and it's not what I'm seeing at all. Between an IE6/XP machine and my Apache box...

21:54:48.351781 10.0.0.29.4109 > 10.0.0.5.www: S 3610909795:3610909795(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
21:54:48.352052 10.0.0.5.www > 10.0.0.29.4109: S 4178252606:4178252606(0) ack 3610909796 win 5840 <mss 1460,nop,nop,sackOK> (DF)
21:54:48.352202 10.0.0.29.4109 > 10.0.0.5.www: . ack 1 win 64240 (DF)
21:54:48.352400 10.0.0.29.4109 > 10.0.0.5.www: P 1:243(242) ack 1 win 64240 (DF)
21:54:48.352528 10.0.0.5.www > 10.0.0.29.4109: . ack 243 win 6432 (DF)
...
...
...

Which appears to be a perfectly standard SYN->SYN->ACK handshake at the beginning. Also, do IE5.5/6 support HTTP pipelining? Surely this would explain the web browser not tearing down connections in between HTTP commands. Mozilla supports it! :) ... or maybe I've just not understood the blog entry correctly!

Re:This isn't what I'm seeing

[rogueuk]

well..the blog was talking about connections from ie to iis servers, so apache wouldn't be able to do any of this

however, from other posts i've read it seems this whole theory might be just some persistant connection or http 1.1 stuff so in effect any browser/webserver that supports it should be able to do it.

Re:This isn't what I'm seeing

[pVoid]

Yes, you are right. The whole point is that IE is painfully slow in certain scenarios where the server just drops the packet instead of sending a RST.

I for one am having the exact same results as you are. And realistically, I don't think any of this crowd will heed your post. It's too unhumiliating for IE.

On another note, I personally *am* plagued by this IE being super slow thing. And unlike some, I've looked into it logically: it happens 99.9% of the time if a javascript launches a new window, or if a link is Targeted.

I'm personally inclinded to think it might have to do with DNS. But I don't know. And I don't go around accusing people.

For christ' sake, even the poster says: my team and I noticed a couple of years ago

Whatever.

And the cherry on top of the whipping cream:

I have to admire their arrogance and their confidence. But it'll be some time before I can bring myself to admire their technical integrity.

Re:This isn't what I'm seeing

[pVoid]

Yes, indeed.

You know what is even more an indicator that this is much less involved with TCP: it happens if you have a local html file that opens a local JPG. Even then I get the lag.

Anyways, I'm not so inclined to solve this problem right now... I'm just ignoring it hoping some day it'll go away =)

(lazy ol' me).

Re:This isn't what I'm seeing

[BCoates]

On another note, I personally *am* plagued by this IE being super slow thing. And unlike some, I've looked into it logically: it happens 99.9% of the time if a javascript launches a new window, or if a link is Targeted.

I disable javascript, so i wouldn't know anything about that, but occaisionally trying to open a targeted link will freeze the browser window I tried to open the link from; opening a new browser instance and trying to follow the link will freeze that one too. I have to find the broken browser instance that's 'blocking' them and terminate it before the others will resume working.

that and the 'reload from dns error page waits forever' thing...

--
Benjamin Coates

Re:This isn't what I'm seeing

[Panoramix]

Thank you for posting that dump. The first thing I thought of was sniffing my ethernet myself, just to see if this was true. Regrettably, I have no Windows machines available here to test with (never imagined that I would ever think of this as 'regrettable' :-).

Anyway, I'm having a really hard time believing this story. I just can't get me to think that such a nasty hack would have gone unnoticed for years (the article speaks of years). I mean, think of the security holes it would open! The many router and firewall mysterious misbehaving it would trigger. And no sysadmin, or lowly script kiddie noticing this? It just can't be.

I'd love to have information on how to reproduce this, and see it for myself on my network. Yes I'd put Windows and (yuck) IIS in one of my boxes, for a couple of hours, to run this test. But until I can see it myself, or read about it in Bugtraq, I won't believe it, and will be ashamed that Slashdot is publishing it without a big note stating at the very least that "this may be not true".

Really, even though I'm a GNU/Linux user, the kind that actually uses the "GNU/Linux" tag from time to time, and that I love Mozilla and all, if find this just as low as the best FUD Microsoft has come up with in their dirty history.

Re:This isn't what I'm seeing

[moncyb]

The blog said IE was doing this a long time ago, and this "feature" sounds a lot like one of the complaints in the antitrust case, so maybe the DoJ forced microsoft to fix it...

Re:This isn't what I'm seeing

[/dev/trash]

Oh come on. Do you really think that the DoJ made MS change ANY of it's code? At most they made them change a few dodgy business contracts.

Re:This isn't what I'm seeing

[pVoid]

I'll answer my own questions for you to compare as well:

IE with affinity on one CPU still 'hangs'. Kernel times show about 90% of CPU is effectively spent in Kernel. Will investigate more.

Re:This isn't what I'm seeing

[n3m6]

it happens only between IIS and Internet Explorer. with a standard server like Apache the requests are normal. thats what the author said.

Re:This isn't what I'm seeing

[prizog]

Is this when clicking on a link? It ought to only happen if you click on a link, according to the author's description.

No, it's not.

[Rui+del-Negro]

No, it doesn't. In fact, it doesn't even cache any page that's protected by a password, nor does it add them to the list of recently visited addresses (which is nice both for security and privacy reasons).

They are only kept in the RAM cache (i.e., when you press "back" or "forward", it will usually show you a page's last state (down to the position of the scroll bars), without reloading it. This is quite useful, BTW; it means you can go back and forth between pages without losing what you were writing in a form (unlike MSIE, where forms are reset).

RMN
~~~

Re:No, it's not.

[jhunsake]

"They are only kept in the RAM cache"

Isn't a "RAM cache" a cache? Did the parent specifically mention disk cache?

Re:No, it's not.

Back/forward is allowed (expected in fact) to show the page without reloading it. See RFC 2616.

Re:No, it's not.

[mrm677]

Then if the system is compromised somehow, any debugger/program/back-orifice can attach to Opera and read its memory thus obtaining access to your "RAM-only" cached contents.

Re:No, it's not.

[decade_null]

That's why I use Mozilla, which is able to display pages without storing them in RAM at all.

Re:No, it's not.

[Rui+del-Negro]

Yes, in fact version 1.3 doesn't even use the graphics memory; it just sends the data straight from the TCP packets to the monitor's CRT.

RMN
~~~

Re:No, it's not.

[radish]

*cough* swapfile *cough*

Re:Oy

[peculiarmethod]

Absolutely, agreed, hallel.. oops..

I just upp'ed from a 200 mhz that I used to do the recording in my studio, limited video editing.. major graphics.. but I still had to use IE in order to get any kind of desirable surfing. Especially if someone is over my shoulder.

Noooow I have an athlon 2100xp with 1 gig ddr for my MASSIVE dvd video editing, 24 channel recording studio, chat, wi-fi porn war dialing, and MOZZILLA (in the shape of Phex) with an absolute feeling of euphoria every surfing experience. My slashdot time has doubled. Think about my porn hours.

IE has lost the game once mom and pop upgrade to modern machines.

bye bye

pm

Especially...

[Featureless]

And this is the highest irony...

That the poster did it as an AC... which means they get no karma.

Ooh. Double-dumbass.

Re:Especially...

[Trogre]

Don't worry. Slashdot karma is just a ficticious as the concept of karma in the cosmos.

Re:Especially...

[defile]

Microsoft is in the computing industry in much the same way that billboard-writers are in the literature industry.

Good show. :)

Er, for some reason your signature doesn't appear in the reply-to page, but it's there on the message board index.

They gave up

[Rui+del-Negro]

They couldn't determine the ? for the underpants, so now they're trying it with socks.

RMN
~~~

True.

[DAldredge]

Where else can you get into 100+ post flame wars because someone used the word American instead of the 'Correct' 'USian'?

Re:Slashdotted! Why can't Slash cache the page loc

[Randolpho]

Easy to do, yes. Practical? No way in hell. Slashdot already sees so much traffic that on heavy days I end up with TCP errors. Caching linked pages locally would only increase Slashdot's traffic woes.

And I haven't even mentioned *storage* yet...

Wow

[archnerd]

This almost makes me want to break some other rules and hack my TCP stack to send back some other amusing responses to unsynchronized packets - perhaps a ping of death or an invalid OOB packet (WinNuke)?

Re:Wow

[Anders]

This almost makes me want to break some other rules and hack my TCP stack to send back some other amusing responses to unsynchronized packets - perhaps a ping of death or an invalid OOB packet

You could, of course, do that. However, please be sure to make certain that the source address of said unsynchronized packet is not forged - or you will punish someone innocent.

The general rule still is to be conservative in what you produce but liberal in what you accept - the rule is in fact designed to keep things going, even if the other guy does not follow it.

Re:Wow

[archnerd]

Filtering of spoofed packets would be quite simple - just send the source address a bogus page contained and image tag and see if they proceed to request that image. If so, they're the real sender of the initial unsynced packet.

And btw, _my_ rule of thumb is being conservative in what produce and conservative in what I accept - just send me an email containing some spam phrases and you'll see what I mean.

who gives a damn?

[smd4985]

mozilla is a better browser anyways. ;)

Re:who gives a damn?

[/dev/trash]

except when it comes to this bug: http://bugzilla.mozilla.org/show_bug.cgi?id=186064

Bottom line

[core+plexus]

IE may seem faster to some because, as everyone knows, M$ is evil and made a deal with the devil. It's not faster to me because I use Linux.

Heres a much faster browser: Man Gets 70mpg in Homemade Car-Made from a Mainframe Computer

Re:Bottom line

[core+plexus]

Congratulations! Your post knocked it down to #3, at least.

You are angry because you know the truth.

And you post this on Slashdot?

[CaptainSuperBoy]

And you post this on Slashdot? As an AC? Talk about irony..

More Browser speed ups!!

[sweede]

i've ran Netscape 4.1 on my pentium 133 with a 28.8 kps modem, but web pages load instantly on my box. whats my secret??

Well i'll tell you !!

i upgraded to IE 6.0* and the web pages popped up instantly !! even the pop-ups where there just as quickly

using IE increased the speed of web browsing on the internet for me, it can for you too !

*Note: to run IE 6.0 i also had to upgrade to a more recent AMD XP system running Windows XP and a 1.5mbs Cable Modem service which had a 98% impact on page load and rendering times.

Re:More Browser speed ups!!

[Guppy06]

"i've ran Netscape 4.1 on my pentium 133 with a 28.8 kps modem"

You must be that poor bastard all those broadband commercials are referencing, then. I've always wondered why they always advertised as "x times faster than a 28.8 modem!" I mean, who uses them nowadays for something other than a doorstop?

Now that you've upgraded, I hope we can now have commercials with more meaningful information.

Why have I suddenly burst into flames?

FTP the same?

[Shelled]

A custom application we run at work makes use of the IE ftp client to make automated connects to our ftp server. Any other client, Linux or Windows, disconnects from the server on shutdown. IE or the IE-based ftp client don't, even if you exit IE. Because of this we've been forced to set a session idle timeout of 1 minute on the server to avoid hanging connections. Is this another example of the same technique, client-side?

Re:FTP the same?

[Greyfox]

I've run into that exact same problem, and had to take the same steps to resolve the problem. It's been a few years now, but at the time one client would open all the connections the FTP server allowed and then they'd stay open for hours. I would view that as a DOS and though there was a fairly easy workaround, I think a better idea would be to reject IE clients.

Re:FTP the same?

[Guppy06]

"even if you exit IE."

There's your problem. From IE 4.0 onwards, there's only one way to exit IE: You shut down Windows. Just ask the attorneys that testified before Judge Jackson.

Re:FTP the same?

[Elwood+P+Dowd]

The poster is completely mislead. He's talking about the fact that IE (and many other web browsers) don't tear down connections after only a single transfer. This allows them to transfer the web page, and then all the images, over only a few threads/connections. It results in a huge speedup, and has no downside, since they do close their connections once all the material is transfered. It's not so that subsequent page loads will be faster, if I understand corretly.

What IE does to FTP servers is a completely different problem. Yes, it is a similar technique, but FTP and HTTP are pretty different anyway. It's a lot more damaging, since FTP servers maintain a more state for connected users than HTTP servers (iiuc, again).

Re:FTP the same?

[Quikah]

Actually i am pretty sure that if you log out it will shutdown IE.

Re:FTP the same?

[Rogerborg]

Bear in mind that Joel used to work for Microsoft, so he's probably just exorcising some demons by giving it the old college try.

Re:Slashdotted! Why can't Slash cache the page loc

[Randolpho]

now *that* is a good idea! :)

In fact, every time I submit an article (not that any of my submissions have ever been accepted), I will attempt to find a google cached version.

It may be futile, if the story is too fresh. But I vow to try!

Enough!

[IamTheRealMike]

Stop with this! IE is fast because, to put it simply, Microsoft know how to write extremely fast code. That's it.

IE is fast because Microsoft know Windows coding inside and out. When you run iexplore.exe, no, it's not loaded at startup, the executable just loads the relevant COM objects. The UI appears first, then their rendering engine (Trident) is loaded async which is why you see a flat white area when IE is loading for a second or two before it becomes a 3D cutout. Everything is load on demand. That's why it's fast.

Office is fast because the Office coders aren't stupid. They don't pull any OS startup tricks or anything to make that happen. How do I know this? Because I once reinstalled Windows on top of Office - deleted the whole of the windows directory and reinstalled it. Word still started in under 3 seconds, although it gave one or two complaints about missing registry entries it started fine, and boy was it fast.

Maybe IE still pulls this trick, maybe it doesn't, but at the end of the day IE feels fast because they've put a lot of work into optimization. You'll note that Mozilla is catching up now as they also get the optimizations in.

Re:Enough!

[shyster]

Office is fast because the Office coders aren't stupid. They don't pull any OS startup tricks or anything to make that happen.

Actually, Office does use a OS starrtup trick to initialize shared resources and fonts. See here for Office 97, here for Office 2000.

Of course, even without this speed boost, Office is still faster than competitors, so I don't doubt that the Office coders know what they're doing.

Re:Enough!

[spongman]

they also use a little-known feature of the linker that supports delayed loading of statically linked DLLs. They also use global optimizations such as the /LTCG linker switch and an internal code relocation tool (that used to be called LEGO) that moves functions that often appear close to ech other on the callstack (based on profiling sttistics) into the same memory page to reduce paging load.

Re:Enough!

[Bert64]

Then why is IE so much slower on NT4 or 3.1 where it`s not integrated into the shell? Sure IE is made up of COM objects, but a lot of them are already loaded into memory, this is why the disk is barely accessed when you invoke iexplore.exe

Re:Enough!

[Ilgaz]

I am a registered Opera 7 (currently beta) user and with any experiment, Opera 7 loads faster and you can click to address bar and type address faster than IE. The response time I mean. I sometimes feel like using IE or have to use it, man that browser after Opera response time and speed makes me real mad.

This is P4 1800 with 256 mb RDRAM with all updates installed Windows XP SP1 (yes the IE os :)) , so please someone doesn't popup and say my system is slow.

While I don't agree with your comments (MS coders being ultra cool), I agree with you that those guys has the OS kernel source in their hands so they have the mega advantage.

I am telling the fact that Mozilla coders should stop whining about the IE preloaded kind of urban legend nor, it has superiour DHTML features, XHTML UI etc just because the same reasons as you. I just don't agree to ms coders are kind of ultra cool coders. They are _not_ bad coders of course, MS is a programmer giant but they aren't all programmer geniouses. They have the advantage thats all. IE DLL's preloaded? Oh time to blame AOL at first. They _still_ use mshtml.dll , all available com objects etc on their OWN flagship apps like ICQ.

oh those points made me k-lined from their IRC server with fake reasons :)

Next "blog" story will be the ultimate conspiracy that IE uses raw sockets features of the evil alien XP to use UDP packets to speak with IIS servers I bet :D

It *isn't* ingenious

By not closing the connection, it severly hampers IIS's scalability - in other words, it's a helluva lot more susceptible to the /. effect. Any server must keep track of open connections, and any computer only has a finite space to do that in.

Of course, when your target market is non-scalable toy computers, who cares if you software isn't scalable either.

Re:It *isn't* ingenious

[tshak]

Of course, IIS could just not allow the connection to stay open (check the config).

Of course, when your target market is non-scalable toy computers, who cares if you software isn't scalable either.



That was intelligent.

Lets all complain about MS's lack of standards

[MisterFancypants]

Yeah, yeah, Microsoft doesn't fully follow standards. Lets all whine about this on a site that doesn't bother to follow any known web standards for display. Geez, aren't we all so very cool?

If this behavior existed in an OSS app, we'd all be talking about what a cool hack it was...But since it was done by Microsoft is must be evil..Despite the fact that it DOES increase the overall positive user experience, it WORKS and while it might not be 100% standards compliant, it doesn't BREAK things that aren standards compliant. Cry me a river!

Re:Lets all complain about MS's lack of standards

[MisterFancypants]

Ever hear of common sense? If it were as bad as the original article made out, we'd have heard about it long ago as non-MS systems vendors complained about how IE and/or ISS were fuckin' things up for everyone. This is SOOO a non-story.

Re:Lets all complain about MS's lack of standards

[kingkade]

I've pirated every version of Windows for friends, giving them out at will to anyone who asks, and will continue to do so because MICROSOFT IS EVIL.

Yeah, keep rationalizing your actions when you're nothing but a thief. You're a software stealing asshole.

I doubt you'd approve of someone stealing your hard work and righteously justifying it by simply calling you or the company you work for (assuming you've ever had a real job) evil.

You make me sick.

Re:Lets all complain about MS's lack of standards

[Psx29]

Well if it existed in an OSS app it could be easily implented into any software that wanted to use this form of communcation so long as they abided by the lincensing terms. This is contrary to microsoft which has everything closed and propreitary, and pureposefully made to give people not using microsoft a harder time.

Is This Bad? Pipelining?

[suwain_2]

Reading this, I was forced to wonder... Is this really a bad thing? For once, it almost seems like true innovation, rather than their 'embrace and extend' (ie - 'extend' a standard just enough to make it incompatible with non-Microsoft stuff): they've found something superior to the current method in use, and both their browser and server software implements it. Better yet, it's backwards-compatible: a non-MS browser can connect to an IIS server, and IE can connect to a non-IIS server.

The thing I don't understand... Isn't this somewhat like keepalive and pipelining?

I normally hate Microsoft, and think they are up to massive conspiracies. However, in this case, it seems more to me like a legitimate innnovation, as opposed to some elaborate scheme. I fail to understand what is 'evil' about this: isn't this a good thing?

Pure BS

[unterderbrucke]

"One possible explanation is something that my team and I noticed a couple of years ago"

They had IE 3 a "couple" of years ago. This article is based on faulty data from two or three years ago, which the author even admits.

Maybe the editors should read the links in stories before posting the stories, it gives Slashdot a bad name to be posting articles like this.

IE Fast? What are you kidding me?

[tim0thy]

Go figure... my IE isn't coming with anything when I hit the above link.

Re:slashdotted

[scottj]

In other words, slashdot editors are no better than spammers. They both effectively steal bandwidth. When will this change? Taco needs to act now!

Re:Slashdotted! Why can't Slash cache the page loc

[IIRCAFAIKIANAL]

I did the same thing with a story I submitted recently - it was a NYT story so I submitted the google partner link. They didn't publish it though :) I urge all submitters to do the same in the future.

(Incidently, the story was about copyrights in Europe that will expire soon)

IE's other trick: full DOM and JS caching

[abischof]

IE's other trick, or so it is assumed (since the source isn't available) is that it does full DOM and JS caching.

That is to say, if you visit a webpage with (say) Mozilla, the HTML is interpreted and the HTML tree is built in memory. Pages with advanced CSS have a more complicated tree, of course. However, when the user leaves the page, that tree is destroyed and has to be recreated each time the user visits the page.

The bug to correct this in Mozilla is bug 38486 - "[FEATURE] Keep DOM and JS context in memory to provide fast access when clicking back". You can also vote for it (free Bugzilla account required) though you'll have to copy-n-paste the URL into your browser window since Bugzilla doesn't accept referrers from Slashdot.

PS Threaded e-mail is handy, eh? It sure is, unless your mail reader doesn't remember that you want to see your mailboxes in threaded view and keeps reverting back to collapsed form. That one is bug 64426 (vote for it if you like).

but... firewalls??? proxies??? caches??? netstat!

[jamesh]

that cannot be... surely there'd be an endless amount of problems with stateful firewalls. not to mention that isa and msproxy server would have to support this.

are we sure that the author just doesn't understand persistant connections???

a simple netstat -a would show you if the connection was kept open... i'm using squid as my proxy so can't test this.

does it really matter?

[nuckin+futs]

No matter how fast or how slow IE is, a lot of people are still stuck using it because there are just some sites that are Windows-centric. Some sites just don't work or looks like crap if you're using something else.

Re:does it really matter?

[jmorris42]

Nah, just get the toolbar add-on for Moz so you can spoof the user agent string. Just a day or so back I was browsing hauppage's site drooling over the just shipping WinTV-PVR 350 and it started that "You aren't running IE so go the fsck away" game." Flipped the user agent in Moz from Mozilla/Linux to IE6/XP and it never said another word. And the pages looked well rendered to me..... or as well rendered as Mozilla on Linux over does. (I know I'll rejoice with a great noise when the font situation is finally solved.... and running on MY machine.)

p.s. the WinTV PVR 350 is now shipping, but further research failed to turn up a Linux driver so it is a tough call, take the $50 discount running this month and pray or wait and see.

Sigh

[CaptainSuperBoy]

Do you even remember the 'first slashdot troll post' fiasco? When hundreds of slashdot users had their posts permanently set at -1, just for posting in a specific thread? Then the slashdot admins got defensive and blamed the users for being 'offtopic'? Right there is when I stopped respecting this site.

Re:MSIE is to blame!

[ez76]

It is forcing persistant connections rather than requesting them the HTTP/1.1 way! This means that these servers are stuck with tons of open Sockets causing it to refuse new ones!

Last time I checked, most web servers could reject persistent connections.

Speaks pretty poorly of the server (or network architecture) if your only recourse is to say "it's the client's fault!"

Plenty of other examples...

[Bert690]

..of Microsoft browser networking bugs which make it only work well with IIS. For example, This bug causes IE to fail to properly shutdown SSL connections. IE browsers using SSL conenctions with standard Apache webserver configurations will have all kinds of errors due to this issue. You need to either disable keepalives or increase the keepalive timeout to something outrageous like 2 minutes. This "bug" has been around for ages yet despite IE being in version 6, it is yet to be fixed. My guess is this is actually some kind of "feature" that makes IE work faster with IIS (since the connection never closes, subsequent reqests go faster, assuming the webserver knows how to speak the broken protocol).

Re:Plenty of other examples...

[wytcld]

A standard Apache/mod_ssl configuration includes:

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

... which pretty much takes care of it.

Meanwhile...

[The+Bungi]

...in an alternate universe...

-----------

Posted by timothy on Sunday January 05, @ 11:11PM
from the who-cares-if-its-fast dept.
zupah^x0r writes "Good news guyz!!1! While looking through the Mozila source I spoted the reason behind the browsers' supercallifagilistick speed; it seems the good folx at Mozilla are "cheating" when crating the HTTP requestor to the web server or something. Heres teh skoop. Please be sure to donation to the Mosila org, k?" Yes, they're cheating as far as the RFC is concenred, but this is a good thing as far as I'm concerned becuase the browser is fastest. Yay open source!

(Read More... | 4621 "comments" )

-----------
Now back to our regularly scheduled programming.

This was reported by SUN in 1997 !!!

4069902 TCP in 2.5.1 should have similar slow start mechanism as in 2.6 13 Aug 1997

) TCP BASICS - SLOW START AND DELAYED ACK

The TCP specification requires something known as "slow start". The
algorithm applies to the sender side and is described in RFC2001.

The intent of the slow start algorithm is to avoid a "congestion
collapse" in a network by ensuring that each TCP sender doesn't
overwhelm the network. The algorithm mandates that the first
transmission be a single packet. If the recipient acknowledges
the first packet successfully (i.e. the communication doesn't time
out and the recipient believes that the packet has arrived without
error), the sender sends two more packets. Successful transmission
results in the sender sending yet more packets in parallel, until
the capability of the underlying network is reached and one or more
packets are not acknowledged successfully. Essentially the sender
uses ACKs as a "clock" to regulate and gradually increase the
rate packets are injected into the network until it reaches an
equilibrium.

The TCP specification describes another technique known as
"delayed ACK", which concerns the receive side. The technique
calls for an acknowledgement of a data packet to be delayed for a
short period of time - the delayed-ACK interval. Different TCP
implementations use different delay intervals. The TCP specification
(RFC1122) mandates that the delayed-ACK interval must be less than
0.5 second. Delayed ACK serves to give the application an opportunity
to send an immediate response, in which case the ACK can be
piggyback'ed with the packet carrying the response. This technique
is very useful, both in saving the network bandwidth and in reducing
the protocol processing overhead, and is widely adopted by TCP
implementations. The TCP standard also recommends that an ACK not to
be delayed for more than two data packets. This is to keep the slow
start algorithm on the sender side flowing, which counts on the ACK
packets coming back from the receive side in order to strobe more
data packets into the network.

2) TCP SENDER/RECEIVER DEADLOCK - THE IDLE TIME

A simplistic implementation of delayed ACK can cause unnecessary
idle time during the initial data transfer phase in a client-server
network environment. The scenario is as follows. When a sender
request can't fit in one TCP packet, TCP will break it up into
multiple packets. During the initial slow start phase, the sender
is allowed to send only one packet. Therefore only a partial sender
request is sent. The receiver application, upon receiving the
data in the packet, is not able to respond because the data is
incomplete. In the mean time, the receiver TCP is holding back the
ACK, waiting for the second data packet to show up. But the sender
TCP is waiting for an ACK to come back before sending more data - a
temporary deadlock. Eventually, the receiver TCP will give up the
waiting after a delayed-ACK interval, and send back an ACK.

This interplay of a simplistic delayed-ACK implementation with
slow-start algorithm accounts for the idle time problem seen in a
number of WEB benchmarks. These benchmarks employ HTTP response
messages of at least 8KB and usually more. On a typical network,
this size of data requires more than one TCP packet to carry.

During the idle time, the client TCP holds back the acknowledgement
of the first packet while the client HTTP is waiting for the rest
of the response data from the server before it can issue the next
HTTP request. But the server is waiting for the client TCP to ACK
before it can send the rest of response data.

3) SOLARIS CLIENTS - NO DELAY ON INITIAL ACK

Only configurations with clients that use a simplistic delayed ACK
implementation, e.g. Windows/NT, will exhibit the idle time problem
when talking to a Solaris server. Configurations using Solaris
clients are not affected by this problem because Solaris uses a more
sophisticated delayed-ACK algorithm. It recognizes the initial data
transfer phase, and will not delay the acknowledgement of the first
data packet.

4) SLOW START BUG - NO MORE IDLE TIME

Configurations using a server running Windows/NT, or an OS with a
BSD derived TCP stack don't exhibit this idle time problem. This
is, rather ironically, due to a widespread bug in the slow start
implementation in both Windows/NT and BSD derived TCP stacks.

The bug in the server erroneously takes the last ACK in the TCP 3-way
connection handshake as an indication of a data packet successfully
going through the wire. Therefore, when the server is ready to send
back the first response, it is allowed to send TWO, instead of one
TCP packet. The client, upon receiving two packets, will ACK
immediately as suggested by the TCP specification.

5) BREAKING DEADLOCK - THE WORKAROUND

A new TCP tunable "tcp_slow_start_initial" has been added to the
Solaris 2.6 release. The default value is one (1), which gives the
same behavior as Solaris 2.x releases prior to 2.6, and is fully
compliant with the current TCP slow-start standard (RFC2001).

The amount of the extra delay described above depends on the
delayed-ACK interval of the client's TCP stack, and is usually on
the order of 200 milli-seconds. For a normal TCP connection, this
delay is hardly noticeable. Nevertheless, it may not be true in an
environment that employs many short-lived connections, or connections
transmitting only a small amount of data. A good example is a WEB
server. In those environments, one should consider changing
"tcp_slow_start_initial" from the default value of one (1) to two (2).

The potential downside of the change is that, with many clients all
starting at two packets instead of one, more network congestion
might be introduced. IETF (Internet Engineering Task Force, the
industry group that governs the Internet standards), after recognizing
the problem described here and the widespread of the slow start bug
described in 4) only recently, conducted a preliminary study over the
global Internet on the effect of amending the slow start algorithm
to start at two packets instead of one. The study found no evidence
that the change caused more congestions. It's still conceivable,
although rare, that on a configuration that supports many clients on
very slow-links, the change might induce more network congestions.
Therefore the change of "tcp_slow_start_initial" should be made with
caution.

Sun is actively participating in an effort in IETF to revise TCP
specification to allow more packets to be sent initially. Once the
revision is ratified, Sun will take the appropriate actions to
upgrade Solaris TCP accordingly.

6) COMMANDS FOR THE WORKAROUND (Solaris 2.6 only)

> su to root
> ndd -set /dev/tcp tcp_slow_start_initial 2

See ndd(1M) for an explanation of the tuning facility.

Re:This was reported by SUN in 1997 !!!

[Dachannien]

Except that RFC 2001 doesn't actually supercede RFC 0793, and RFC 2001 specifically indicates that delayed ACK, while present in most TCP stacks at the time (1997), was not an officially documented part of TCP.

Yes, it was a braindead way to implement delayed ACK. However, that actually isn't the same as the issue in the original article, which was that MS was taking a shortcut around the established protocol described in RFC 0793.

Re:Persistent Connections

[xcomputer_man]

Err, I don't think so. From what I've read about HTTP KeepAlive, the connection should be kept alive by adding a "Connection: KeepAlive" header to the request or something like that. I can't imagine any reason why any protocol should want to interfere with the TCP handshaking sequence for keepalive purposes. That would mean crossing out of the application layer into the transport layer.

This issue caused me a lot of grief last year, and I am just figuring out why. We set up a webmail server using Apache/Vhosts and OpenSSL, and we had this recurring problem of links just suddenly breaking in IE ... It'd just return "Page could not be loaded" or something like that. The problem never cropped up in Mozilla or other browsers, and eventually I found out that if I added this line:

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

to the virtual host configuration, the problem went away. Now that I've read this article, I think I understand why. What I think is happening here is that Microsoft trying to make the most out of keepalive/persistent connections by bending the rules. And it's not right.

Re:Mozilla is quick too... but...

[The+Jonas]

Lynx is faster... :)

Re:Slashdotted! Why can't Slash cache the page loc

[Mad+Bad+Rabbit]

Should be easy. Or perhaps Slashdot can just include CACHE'd links from Google instead of the real URL?

They'd need to cache all linked images and video from the slashdotted page as well, since this typically happens to pages whose main content is pictures of lego casemods or whatever, and Google doesn't cache images.

Another solution might be to run a QoS proxy. So, if Slashdot is about to link to weaksite.org that can only handle 10 hits/sec, the link would be:

http://qos.slashdot.org?rate=10&weaksite.org/nea to.htm

Re:Ummm... HTTP1.1 Anyone

[jazperbg]

This is more than just a persistant connections. What IE is doing is sending the request for the page *before* any sending SYN or ACK packets that every TCP/IP application is supposed to send. Only Microsoft's own IIS server responds to these requests, so connections to any site using Apache (more than 50% according to Netcraft) or another server will result in one extra useless packet at the start, before IE realises it isn't talking to an IIS server and goes back to obeying standard TCP/IP rules. This is what causes some sites (ones using IIS) to load incredibly fast in IE, and some sites (ones using other server software) to take a lot longer than they should.

Re:slashdotted

[coupland]

My worthless opinion:

1. Slashdot is not a hosting site so they shouldn't offer to mirror.
2. They have no way of knowing if a site can't handle the load.
3. Waiting for a mirror to appear would make news show up incredibly slow.
4. The community automatically mirrors or pastes content that has been /.-ed you just need to spend 2 seconds reading the comments.
5. The guy with the Lego site is probably tickled pink that his site just got a billion hits and probably doesn't mind things crawling to a halt for a while. It's his 15 minutes of internet fame.

FWIW...

pipelining is what is being described in the blog

[The1Genius]

Sounds to me like this blog is describing pipelinging which is a standard part of HTTP 1.1...

What is HTTP pipelining?

Normally, HTTP requests are issued sequentially, with the next request being issued only after the response to the current request has been completely received. Depending on network latencies and bandwidth limitations, this can result in a significant delay before the next request is seen by the server.

HTTP/1.1 allows multiple HTTP requests to be written out to a socket together without waiting for the corresponding responses. The requestor then waits for the responses to arrive in the order in which they were requested. The act of pipelining the requests can result in a dramatic improvement in page loading times, especially over high latency connections.

Pipelining can also dramatically reduce the number of TCP/IP packets. With a typical MSS (maximum segment size) of 512 bytes, it is possible to pack several HTTP requests into one TCP/IP packet. Reducing the number of packets required to load a page benefits the internet as a whole, as fewer packets naturally reduces the burden on IP routers and networks.

HTTP/1.1 conforming servers are required to support pipelining. This does not mean that servers are required to pipeline responses, but that they are required to not fail if a client chooses to pipeline requests. This obviously has the potential to introduce a new category of evangelism bugs, since no other popular web browsers implement pipelining.

When should we pipeline requests?

Only idempotent requests can be pipelined, such as GET and HEAD requests. POST and PUT requests should not be pipelined. We also should not pipeline requests on a new connection, since it has not yet been determined if the origin server (or proxy) supports HTTP/1.1. Hence, pipelining can only be done when reusing an existing keep-alive connection.

How many requests should be pipelined?

Well, pipelining many requests can be costly if the connection closes prematurely because we would have wasted time writing requests to the network, only to have to repeat them on a new connection. Moreover, a longer pipeline can actually cause user-perceived delays if earlier requests take a long time to complete. The HTTP/1.1 spec does not provide any guidelines on the ideal number of requests to pipeline. It does, however, suggest a limit of no more than 2 keep-alive connections per server. Clearly, it depends on the application. A web browser probably doesn't want a very long pipeline for the reasons mentioned above. 2 may be an appropriate value, but this remains to be tested.

What happens if a request is canceled?

If a request is canceled, does this mean that the entire pipeline is canceled? Or, does it mean that the response for the canceled request should simply be discarded, so as not to be forced to repeat the other requests belonging to the pipeline? The answer depends on several factors, including the size of the portion of the response for the canceled request that has not been received. A naive approach may be to simply cancel the pipeline and re-issue all requests. This can only be done because the requests are idempotent. This naive approach may also make good sense since the requests being pipelined likely belong to the same load group (page) being canceled.

What happens if a connection fails?

If a connection fails or is dropped by the server partway into downloading a pipelined response, the web browser must be capable of restarting the lost requests. This case could be naively handled equivalently to the cancelation case discussed above.

Re:MSIE is to blame!

[Ponty]

So what you're saying is that MSIE is responsible for a lot of the /. effect? It seems that all of those windows-using /. readers might think once or twice about their OR or browser if they know that they're ruining the Internet for everyone else.

Bad Idea: Re:Sounds pretty decent...

[mbyte]

using UDP in favor of TCP is a very bad idea, because of TCP's congestion avoidance, or the lack thereof in UDP. If everyone starts using UDP the net performance is going to crawl. Read Tannenbaums network book for a better explenation ;)

Re:IE Fast? What are you kidding me?

[jonr]

Yeah, and you have no sense of humour, Einstein!

Re:slashdotted

As the owner and operator of a small commercial web hosting outfit I wholeheatedly agree. Just two days ago one of my clients' sites got slashdotted.

It is extremely annoying to see posts about poor server configuration from the losers who post here. The server is seldom the issue, the bandwidth is. My server gets slashdotted about once a month and every time the server load is nominal, yet my two T1s get crushed. Of course I surcharge my clients responsible for this as it creates problems for the rest of my clients.

Some responsible behavior on the part of Slashdot editors/administrators is in order. It doesn't take a genius to figure out which sites may survive a slashdotting and which may not. When in doubt, ask.

As for the trolls that whine like little bitches about lack of bandwidth, /. traffic accounts for less than 1% of my servers' total traffic, it just happens to happen over a short period of time. It is not economical for me to have 99% idle bandwidth for the 0.01% of the time that it is needed. Also, you trolls aren't paying for it, I am.

Re:Borwser Wars

[NineNine]

I think that the appropriate place for your review of various "borwsers" is maybe in your journal. It's completely unrelated to this discussion.

Standards Last Refuge of Market Failures?

[reallocate]

This story will provoke angst about standards, but, to be sure, why should an end user worry about standards? If the 90+ percent of the world that use IE are satisfied with its performance, what relevance have standrds for them?

Standards make life easier for developers, but not necessarily for users. Isn't there some truth in the fact that standards tend to be the refuge of people who can't sell enough product?

Re:Standards Last Refuge of Market Failures?

[LostCluster]

Standards allow somebody else to build a web browser and/or web server.

If suddenly IE only worked with IIS powered servers, and IIS would refuse to send to anything that wasn't IE... there'd be no competitors to MS in those fields who could play the same game.... and you know what MS does once it gets a monopoly, don't you?

Re:Standards Last Refuge of Market Failures?

[reallocate]

>> ...If suddenly IE only worked with IIS powered servers, and IIS would refuse to send to anything that wasn't IE...

That would generally be considered A Bad Thing, but I'm suggesting that with 90+ percent of computer users in the world using IE on Windows there'd be a very strong financial incentive for businesses to buy that restrictive version of IIS. Someday, MS may very well tack on some compelling goodie to the IIS/IE/Windows triumvirate that will bring about that scenario anyway.

What I'm suggesting is that standards -- by the W3C or whatever -- are overwhelmed by the market.

Re:Who cares?

[NineNine]

Wow. So instead of moving my mouse "up" to the tabs, I instead move it "down" to the taskbar? or even have to press TWO buttons at the same time? Whoa. That is serious. I can see where tabs in the browser can save several nanoseconds, while taking up valuable screen real estate. Impressive.

Comment removed

[account_deleted]

Comment removed based on user account deletion

This reminds of netscape FTP.

[drinkypoo]

I don't know if netscape still does this (I hope not) but in days of yore it used to just never terminate FTP connections, which pissed FTP server administrators off so much that a number of them figured out how to disallow netscape from FTPing from them entirely. It basically would wait for the FTP server to time out the connection in all cases, even if you closed the window entirely. Nice for the user, but not so nice for the administrator.

It's amusing that netscape did it first (before IE existed) and now IE is getting flamed for similar behavior.

Re:slashdotted

[WiPEOUT]

3. Waiting for a mirror to appear would make news show up incredibly slow.

... and /. is renowned for getting news to it's readers in a timely fashion, so this would be intolerable.

This sounds like T/TCP

[jelson]

Which is a standard What is everyone complaining about?

Re:This sounds like T/TCP

[jabley]

Not a standard. RFC 1644 is classed experimental; it's not a standards-track protocol. See The Internet Standards Process (RFC 2026). The claim in the story leader that Microsoft were somehow ignoring RFCs looks, uh, foolish though, which is the point you were making.

Re:This sounds like T/TCP

[jelson]

Not a standard. RFC 1644 [rfc-editor.org] is classed experimental; it's not a standards-track protocol.

You're right, of course. My claim of it being a "standard" was 1 part attempt to be pithy, 1 part annoyance at my two I-D's having been stranded in IESG limbo for 2 years. :-)

Sacrifice security, compatibility for performance?

[Glytch]

Of course not. Microsoft would never do such a thing. I scoff at your ridiculous suggestion, good sir.

Re:slashdotted

2. They have no way of knowing if a site can't handle the load.

We have this remarkable thing called e-mail.

3. Waiting for a mirror to appear would make news show up incredibly slow.

Slow? Like Slashdot posting about the Lindows CEO days after it's been on CNN's front page? FAST!

4. The community automatically mirrors or pastes content that has been /.-ed you just need to spend 2 seconds reading the comments.

They essentially steal the decision of whether or not a site wants its content reproduced on Slashdot, in an ad-hoc attempt at 'mirroring.'

5. The guy with the Lego site is probably tickled pink that his site just got a billion hits and probably doesn't mind things crawling to a halt for a while. It's his 15 minutes of internet fame.


People pay for bandwidth. Some of them would like Slashdot to ask permission first. Remember Doug Bagely's Shootout, you pompous, self-centered, delusional prick?

Re:Ummm... HTTP1.1 Anyone

[sremick]

This can be adjusted/eliminatged with the following pref:

user_pref("nglayout.initialpaint.delay", 0);

What's the point ?

[Digital+Soldier]

I'm missing the point of this /. story. M$ bashing? An attempt to establish a position on the "moral highground" for the non-M$ community? Trying to convince IE users to switch to another browser because using IE would constitute a standards violation (say it isn't so!)?

Boring.

Re:THIS HAS GOT TO STOP!!

[NineNine]

Well, Slashdot can devastate my site with traffic whenever they'd like.

This is NOT the standard HTTP 1.1 keepalive

[Admiral+Burrito]

If this is what I think, namely that IE doesn't close the connection after getting the response, the author may want to look into HTTP 1.1 and this thing called "persistent connections". If a browser expects to make multiple requests from a server, the browser is allowed to leave the connection open and make further requests over it.

You might want to look into HTTP 1.1 as well. In fact, so should Microsoft, because (if the article is accurate) they've apparently re-invented the wheel in square form.

Standard HTTP 1.1 keepalive still uses a regular, plain, vanilla TCP connection. No FIN packets until the connection actually is finished. It simply doesn't close the connection, allowing further requests on the same connection (because the connection is still open). The connection is closed - using the standard methods - when one side decides to close the connection (eg. after a timeout).

What is described in the article is a bastard half-closed connection, which is completely unnecessary unless your goal is gratuitous violation of the TCP spec.

Re:This is NOT the standard HTTP 1.1 keepalive

[Todd+Knarr]

No, what's described is a plain vanilla half-close of a standard TCP connection. The server called shutdown(), sends a FIN, the client stack ACKs it. The browser doesn't call shutdown(), hence it doesn't generate any FIN packet for it's half of the connection. It's entirely acceptable from a TCP-protocol standpoint, although highly annoying.

Re:This is NOT the standard HTTP 1.1 keepalive

[RickHunter]

What is described in the article is a bastard half-closed connection, which is completely unnecessary unless your goal is gratuitous violation of the TCP spec.

You know, I seem to recall some guy saying that Microsoft's long-term goal was to embrace, extend, extinguish TCP/IP. And that they'd start by making tiny little changes so that Microsoft programs talking to Microsoft programs worked much better than Microsoft/non-Microsoft. He got booed down quite loudly - everyone claimed that they could never try anything like that. It'd be noticed immediately and they'd have a PR disaster.

The odd thing? He was half-right. He was wrong only in saying that they hadn't done it yet.

Re:This is NOT the standard HTTP 1.1 keepalive

[Yokaze]

Half-close? As in half-correct? I thought this is a three-way handshake, which is a necessity as the underlying protocol is considered unreliable.
RFC 761 it is explicitly stated that both connecting and disconnecting involves a three-way handshake with SYN/ACKs and in the case of disconnecting FIN/ACKs.

Of course, the second FIN may be lost (or not send at all, as in MSIEs case), so additionally there is a time-out, which will make the connection close anyway. But this is somehow undermining the sense of the ACKs.

In RFC 793 (supersedes RFC 761) 3.1, I read nothing about a "half-close".

Re:This is NOT the standard HTTP 1.1 keepalive

[Aapje]

I checked it out, NetBeui is unsupported but still provided. It seems they are indeed fasing it out in favor of TCP/IP. Good ;)

Re:This is NOT the standard HTTP 1.1 keepalive

[Todd+Knarr]

You failed to read all of RFC793. When the server sends a FIN to the client, the client is required to ACK it, but the client is not required to send a FIN to the server at that point. If the client doesn't close it's half of the connection (triggering the send of it's FIN packet), it's allowed to continue to write. That's why the shutdown() socket call takes an argument indicating whether to close the read half, the write half or both halves of the connection. Of course, if the server has completely closed and disposed of the socket on it's end, incoming packets will fail to match a connected socket on the server and an RST will be generated.

It was thought more likely to work the other way, with the browser sending a FIN packet to the server immediately after sending it's request, closing the browser-to-server half of the connection, and the server would then send the response back down the server-to-browser half of the connection before sending it's FIN packet to the browser to complete closing the connection. As it turns out, things took a different route and the opposite happens.

This article is oudated or wrong

[ealar+dlanvuli]

I looked at a connection from IE6 and it sent the apropriate packets. Please discard parent article.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Actually... it's whiners like you

[Afrosheen]

Nice. As we all know, the real flamewars are best fought anonymously. As kirk would say 'double dumbass to you!', and recognize an obvious joke when you see it next time.

faster than Phoenix?

[Chuck+Bucket]

is IE faster than Phoenix? seriously, that would be a comparision I'd like to see. also, if IE edged it out, you'd have to retest it every 6 months or so since Phoenix get's faster and faster as the days go on.

hey, Linux users, for more Phoenix speed plug this into yr ~/.phoenix/default/xxxxxxxx.xlt/user.js file:

• // This one makes a huge difference. Last value in milliseconds (default is 250)
• 
  user_pref("nglayout.initialpaint.delay", 0);

CB

Re:Who cares?

[NortWind]

Business is business...

There's "What's good for the next quarter?" business, and then there's "What's good for our business over the long haul?" business. Not considering the future won't keep it from happening.

You're only saving on Round-Trip delays

[Leeji]

The blog describes the full HTTP transaction process as:

Client: SYN
Server: ACK
Server: SYN
Client: ACK
Client: HTTP Request

Which IE (allegedly) "hacks" and the transaction really goes like:

Client: HTTP Request

If this is true, then IE saves 2 round trips per connection. Clients generally open 4 connections per server, and keep them open (alive) until they've downloaded the page and all supporting files. So IE possibly saves 8 round trips per page with this (alleged) hack.

For domestic dialup connections, the average round-trip latency is 60ms. DSL is around 40, while cable is around 20. Ping slashdot.org to find out the latency of your connection.

So, for a domestic dialup user connecting to an IIS server, a straight request (with no handshake) would save 8*0.06s = 0.48s. The page mentions combining SYN/ACK packets, so this may even be less of a savings.

An 0.48s cheat in page load times hardly makes IE "impossibly fast" when page load times over a modem typically run > 20s.

Also, don't forget that this blog also talks about non-IIS servers balking at this non-standard connection setup with with an RST packet. That adds 4*0.06 = 0.24s to page load times on, say, Apache servers. If true, that doesn't make IE "ridiculously slow," either.

Re:You're only saving on Round-Trip delays

[WhiteDragon]

Ping slashdot.org to find out the latency of your connection.

ok, I'll bite this troll. Slashdot hasn't answered pings (ICMP echo requests) for a very long time. The poster obviously didn't actually try to ping slashdot.org... food for thought, or just innocent mistake? :-)

Re:You're only saving on Round-Trip delays

[WhiteDragon]

Perhaps I may have been a little hasty in labelling the poster a troll. I just figured it was common knowledge that slashdot does not answer pings, and therefore anyone saying it was trying to get a reaction. It may not be as common of knowledge as I believed.

Re:Ummm... HTTP1.1 Anyone

[borggraefe]

Mozilla was changed recently to wait just 250ms before it starts to render a page. So the next release will feel a little bit faster because of this.

A*N^2+B*N+C

[MarkusQ]

The more IE windows you have open, the longer this pause tends to be.

I looked into this a while back and came to the same conclusion. Running stopwatch tests and curve fitting to A*N^2+B*N+C, it looked like the time went up with the square of the number of windows (B was ~ 0, and C was...a constant).

So I told the user who brought it up to 1) not open so many windows or 2) switch to something other than IE.

IIRC, she switched to Opera.

-- MarkusQ

You forgot one..

[warpSpeed]

6. By the time the story is repeated/reposted on /. the site should be prepared with more bandwidth for a second /.-ing :-)

Re:Why is IE dealing with SYN?

[baptiste]

Isn't SYN supposed to be TCP's job?

Does IE have a custom TCP layer in it?

You're kidding right? IE is not some stadn alone program. It has MANY links into low level microsoft stuff where it is 'part' of the WIndows OS. This was the whole arguement of M$'s lawyers, that IE couldn't be removed easily.

So it wouldnt' surprise me if IE had access to some special stack API to pull stuff like this. Would not surprise me at all.

sigh ... mod -1 disinformative?

[Edgewize]

The parent +5 post is flat out wrong. This is not about persistant connections, which is a high-level HTTP feature that keeps a connection open so that the browser can send more requests. This is about a low-level TCP hack that IE uses to get a small speed boost on IIS servers, while breaking TCP standards compliance.

If I read the article correctly, instead of creating a new TCP connection and then sending a request, IE sends the request immediately without bothering to finish the TCP handshake. Microsoft IIS web servers deal with it automatically, and it is faster because it saves a round-trip wait for the ACK and the following requset.

The down side is that non-IIS servers have no clue what this incoming packet is. It must be invalid because it is not a SYN. So it gets thrown away, and the server might or might not reset the connection. If a non-IIS server resets the connection, IE goes with a standard TCP handshake and has wasted only the round trip time for the request packet and the RST. But if the server swallows the invalid packet and does not send a RST, then Internet Explorer will just sit around for a few seconds until it times out and falls back to a standard TCP conection.

The summary is that IE is breaking the TCP protocol for a small speed boost when connecting to IIS servers. It results in a small speed penalty when connecting to most non-IIS servers. When connecting to non-IIS servers that do not reset the connetion, it results in a very noticable delay.

It could also be a potential security risk, because if this is true, then it makes it very easy to IP-spoof a HTTP request against IIS (since the request is a self-contained packet instead of a long connection sequence).

Re:sigh ... mod -1 disinformative?

[Dachannien]

It could also be a potential security risk, because if this is true, then it makes it very easy to IP-spoof a HTTP request against IIS (since the request is a self-contained packet instead of a long connection sequence).

What's more, if IIS responds immediately with a MTU-sized piece of data, using a reflection-based attack - reflecting off of IIS hosts - would result in a linear magnification of the size of a request packet to an MTU-sized piece of data (at minimum - it is possible that the IIS host would have sent multiple packets in the time it takes for the victim to send a RST, and thus multiple RSTs would be generated by the victim in that amount of time).

So, a large amount of data could be generated through the sending of a small amount of data, and you don't even have to root the IIS hosts to make it work ;)

To laugh at you troglodytic slashbot fucktards

[CaptainSuperBoy]

NO TEXT

or ridiculously slow...

[orbital3]

Yeah, IE is ridiculously slow sometimes, like right now as I'm trying to load this site... oh wait, that's just because the server is engulfed in flames.

Re:slashdotted

[Tim+C]

2. They have no way of knowing if a site can't handle the load.

I'd agree with you there, if it weren't for the fact that it happens all the damn time, hence your fourth point.

It really wouldn't kill the editors to at least try to get in touch with the server admin; you know, display a little common sense and courtesy?

This is a hoax!

[hotpotato]

This seems to be a hoax.

Here's a tcpdump for www.microsoft.com, on an XP box:

03:47:16.259661 10.0.0.52.1328 > www.us.microsoft.com.http: S 2485226999:2485226 999(0) win 16384 (DF)
03:47:16.279661 www.us.microsoft.com.http > 10.0.0.52.1328: S 631604626:63160462 6(0) ack 2485227000 win 65535 (DF)
03:47:16.289661 10.0.0.52.1328 > www.us.microsoft.com.http: . ack 1 win 17520 (D F)
03:47:16.289661 10.0.0.52.1328 > www.us.microsoft.com.http: P 1:398(397) ack 1 w in 17520 (DF)
03:47:16.339661 www.us.microsoft.com.http > 10.0.0.52.1328: . ack 398 win 65139

And here's for www.msn.com:

03:50:22.169661 10.0.0.52.1397 > www.msn.com.http: S 2535664221:2535664221(0) wi n 16384 (DF)
03:50:22.199661 www.msn.com.http > 10.0.0.52.1397: S 3601141750:3601141750(0) ac k 2535664222 win 65535 (DF)
03:50:22.209661 10.0.0.52.1397 > www.msn.com.http: . ack 1 win 17520 (DF) 03:50:22.209661 10.0.0.52.1397 > www.msn.com.http: P 1:391(390) ack 1 win 17520 (DF)
03:50:22.269661 www.msn.com.http > 10.0.0.52.1397: . ack 391 win 65146

These look like perfectly valid TCP handshakes. I did notice that when refreshing a site, IE reuses the previous connection, but that's legal (assuming it used Connection: KeepAlive in the HTTP header. I didn't verify that.)

The samples were taken on my network's gateway, which is a Linux box, hence impartial :)

But don't take my word for it. Try it yourself!

Re:This is a hoax!

[archnerd]

My results match yours, using Win98SE. However, it's been updated to use the latest version of IE. The blogger stated that these results are from a few years ago, so I'd do some more research before denouncing it as a hoax.

Re:This is a hoax!

[utahjazz]

(assuming it used Connection: KeepAlive in the HTTP header)

Never assume.

This is the key to this whole mess. The dude who wrote the blog doesn't know about the KeepAlive HTTP header.

This is about the funniest thing i've ever seen on Slashdot.

Read the whole fucking RFC people.

Re:This is a hoax!

[Jordy]

Verified with Windows XP and IE 6.0. The connections appears perfectly valid.

It actually appears to open multiple connections sometimes (first time I hit a site it appears for most.)

I'd say this story is bogus. NAT's would really hate this behavior, so I can't imagine it speeding anything up.

This sounds like a cock-up, not a conspiracy

[hayden]

Atleast from IE's point of view. It sounds as though the way pipelining is done is by simply trying a request first and they are using some low level api to the network stack. So if the connection happens to be open they get a speed up, if not they get a slow down. Seeing as the connection is going to be open more than it is closed it's a general plus.

The IIS team probably noticed this and just accepted the command even though there wasn't actually a valid TCP connection present. So if they receive a packet that looks enough like a HTTP request then do it. There's probably a stack of vulnerabilities here.

The interesting point is that IE and IIS must be using the network stack at a layer lower than the BSD style socket calls otherwise these packets would be rejected at the OS level and no, I don't believe Windows' networking stack is that crap. TCP processing is fiddly so cue more security holes.

This is also an easy in to hurt IE performance. Rather than responding to the dud packet with a RST, don't respond at all (which according to the article is an acceptable response). I'm not sure how linux handles this atm. The end result is IE is dog slow to start loading the page but every other browser is super quick.

And to all those people who posted saying this is HTTP pipelining, please don't talk about networking, ever. You lack a basic understanding of how network protocols are layer upon each other. It would be better if you just rub your chin and nod sagely, possibly saying "hmmmm" at the same time. That way you wont look so stupid.

Re:This sounds like a cock-up, not a conspiracy

[spectecjr]

Atleast from IE's point of view. It sounds as though the way pipelining is done is by simply trying a request first and they are using some low level api to the network stack. So if the connection happens to be open they get a speed up, if not they get a slow down. Seeing as the connection is going to be open more than it is closed it's a general plus.

No, they're just calling
WSAConnect (MSDN Library documentation).

But hey, who am I to get in the way of a good conspiracy theory with real data?

Simon

Re:This sounds like a cock-up, not a conspiracy

[hayden]

No, they're just calling WSAConnect (MSDN Library documentation). But hey, who am I to get in the way of a good conspiracy theory with real data?

And how do you know this?

Re:This sounds like a cock-up, not a conspiracy

[spectecjr]

And how do you know this?

Because I'm a software developer, and I know my way around Winsock. The rest is just purely educated assumption, based on the behavior of WSAConnect.

Simon

Re:This sounds like a cock-up, not a conspiracy

[spectecjr]

Oh, and here's a dump of what the Winsock stack is doing on a GET from Slashdot:


Seq Time Process:PID Action Protocol Local Address Remote Address Status Bytes

2 6:45:28 PM iexplore.exe:3228 CONNECT TCP Entropy:1166 slashdot.org:http SUCCESS
5 6:45:29 PM iexplore.exe:3228 SEND TCP Entropy:1166 slashdot.org:http SUCCESS 590
6 6:45:30 PM iexplore.exe:3228 RECEIVE TCP Entropy:1166 slashdot.org:http SUCCESS 1400
7 6:45:30 PM iexplore.exe:3228 RECEIVE TCP Entropy:1166 slashdot.org:http SUCCESS 1400
16 6:45:30 PM iexplore.exe:3228 RECEIVE TCP Entropy:1166 slashdot.org:http SUCCESS 0
17 6:45:30 PM iexplore.exe:3228 RECEIVE TCP Entropy:1166 slashdot.org:http SUCCESS 1624
18 6:45:30 PM iexplore.exe:3228 DISCONNECT TCP Entropy:1166 slashdot.org:http SUCCESS



Note that there's nothing out of the ordinary here. No false attempts -- that's all of the traffic to the site.

Also, don't forget that if an app doesn't use the correct TCP initiate/shutdown procedure, it won't get through a NAT firewall. And I've not seen any complaints about that being a problem with IE to date.

Simon

Re:slashdotted

[chunkwhite86]

It is preposterous to expect slashdot to be responsible for linking to someone else's site. By putting content on the WWW, you are explicitly allowing others to visit your site.

The site operators are the ones who are liable for their own content and their own bandwidth usage. If they don't want more than a certain number of people visiting their site, they should tweak their web server accordingly. Not everyone has bandwidth that is metered.

just my 2 cents.

Re:slashdotted

[akmed]

My worthless answer to your opinion:

1. Slashdot is a hosting site in that I can create my own journal on it and they have free membership.
2. Common sense will tell you that if you aren't linking to a major, well known website or some sort of .edu site that it probably cannot handle it (unless it's got a specific disclaimer saying something like 'Bring it on Slashdot!' ).
3. Sorry if you have no patience, but if you're expecting someone else to find news for you then you're already adding what should be, to you, an intolerable delay and instead you should be out combing the web to find news long before it shows up on slashdot.
4. The community automatically STEALS the copyrighted information from these sites without requesting permission or even checking to see if there's any statement allowing reprinting of information. If you're one of those people who thinks 'information wants to be free' you just go ask your local judge whether copying a copyrighted work without permission is illegal or not and see what (s)he says.
5. The guy with the lego site might've been tickled pink. Or he might've been atomic red. At least userfriendly has a little banner that someone can use when they've been selected as a LOTD.

Slashdot is rude in selecting their targets. And I've had submissions rejected before only to see them appear a day later (I'm not bitching about that; I know there're various editors and factors concerning what links are chosen) so timeliness of news really isn't a good argument. While anyone with a geek nature wants to know things ASAP, this really wasn't a time sensitive thing. There was no reason to post this link without dropping a quick email to the site owner and attempting to defend slashdot's editors in this case is like trying to attack an elephant with a fly swatter. Either endeavour will not result in much success.

Re:Who cares?

[rseuhs]

You don't get it, do you?

On IE:
1. Open In new Window
2. Window pops up
3. Switch back to old window until the new window is loaded
4. Later Switch to now window

On Mozilla:
1. Middle-click for opening in new tab
2. Later switch to new window

Understood?

Re:Even RAM cache is insecure...

[3247]

Something cached in RAM is sometimes recoverable if the machine has not been switched off since the offending item was cached.

You show complete ignorance of how computer programmes work: In order to display a web page, it has to be loaded into RAM anyway. A "RAM cache" only does not delete it immediatly after you leave a page. So even without a "RAM cache", it's possible that you will find fragments of "secure" web pages in dump files.

Re:slashdotted

[Shotgun+Willy]

And sometimes they get the news to us more than once in a timely fashion! It's great, like having instant replay on the news...

Re:Slashdotted! Why can't Slash cache the page loc

[rseuhs]

Actually, every comments-page is 20 times as large as the average article (without pictures of course)

Hell, even the complaints about slashdotting take more space than the article itself - Add to that that usually the article is pseudo-mirrored in the comments area anyway.

Re:Ummm... HTTP1.1 Anyone

[Fweeky]

This is tweakable using user JS too:

user_pref('nglayout.initialpaint.delay', 250);

In your prefs.js in your Mozilla profile directory.

Re:slashdotted

[Banjonardo]

Heh, the worst is when they get re-slashdoted a couple days (hours?) later and scream something obscene about reposts.

not really

[geek]

Its very buggy right now. My browser was far slower using that exact same fix. BTW it's not just a Chimera option, any Gecko based browser can use it.

I don't recommend it with Chimera, I was having lots of crashes and spinning beach balls. Unexplained rendering problems, some sites wouldn't render till the 3-4th try. You'll also notice lookup problems. All of this went away when I turned it off.

They worked around it instead

[leonbrooks]

The Internet treats everything stupid like that as a network failure and routes around it.

There are hacks all through most Web, FTP etc servers to deal with stupid traffic from IE and/or Windows. For example, there's a standard SetEnvIf command for Apache's config to work around this exact problem with IE (which would otherwise work at connection-flooding the server, and if said server actually left those ports open like IE wanted it would be begging to be blind-spoofed).

If you complain, nothing gets done...

Let's all hand out free drug samples

[leonbrooks]

Yeah, keep rationalizing your actions when you're nothing but a thief.

Yes, there is that, but even more annoying is he's helping the software drug trade along by handing out free samples. If `Microsoft is evil' then so is their software.

Re:Let's all hand out free drug samples

[kingkade]

That's a really good point, but I guess we can't expect these people to see the absurd irony in their paper-thin ideology if they're too stupid/immoral to know stealing is wrong.

Re:Let's all hand out free drug samples

[leonbrooks]

they're too stupid/immoral to know stealing is wrong

I suspect that at some level they know, but it's human nature (our human nature) to justify what we're doing instead of changing it.

FAQ: THIS IS *NOT* PIPELINING!

[leonbrooks]

Isn't this somewhat like keepalive and pipelining?

As has been said countless times already, no. This is a violation of the TCP standard. Pipelining works within the HTTP standard, and part of that is keeping the connection open using standard TCP signalling technology, which this is definitely not.

Re:slashdotted

[jkeyes]

and /. is renowned for getting news to it's readers in a timely fashion, so this would be intolerable.

So timely infact that they have to post it again and again sometimes twice on the same day!

FAQ: THEY ARE *NOT* DESCRIBING PERSISTENCE

[leonbrooks]

Persistent connections work through the HTTP protocol layer over standard TCP, this is a violation of a much lower TCP protocol layer instead.

Re:Still need the connection setup?

[Todd+Knarr]

It is being set up properly. What happens is that the browser hasn't closed it's half of the connection. When the next request happens it tries a TCP write, but since the server side has closed the connection the write fails. That's what's confusing the blog author, they're not familiar with the TCP protocol. A TCP connection has two halves and it's entirely legal to close one half but not the other, leaving a socket that can be read from but not written to (or vice versa). IE doesn't check for the server-side close like it should, treats the socket as if it's writable (which it is) and writes to it. Since the server's closed the socket on it's end, that attempted write generates an RST (which is TCPly correct), the browser gets a write error and finally notices that it's connection has been closed by the remote end, closes everything down like it should have much earlier and builds a completely new socket.

You can get this same behavior between two Linux systems. The server side goes:

1. socket(...)
2. listen(...)
3. accept(...)
4. read(...)
5. write(...)
6. shutdown( SHUT_RDWR )
7. close()

The client side goes:

1. socket(...)
2. connect(...)
3. write(...)
4. read(...)
5. write(...)
6. Note error
7. close(...)
8. socket(...)
9. connect(...)

In IE, steps 3 and 4 in the client handle one request. Step 5 is an attempt to handle the next request assuming that the server handles persistent connections. Step 6 is where IE notices that the server doesn't do persistent connections.

The right thing to do would be to notice the HTTP version and lack of a Connection: header indicating support for persistent connections in the response and close the connection upon receipt of the response. IE is stupid in not handling non-persistent-connection servers as it should, but it's not violating or even bending the TCP protocol spec in any way. It's just stupid coding.

Re:Ummm... HTTP1.1 Anyone

[spectecjr]

This is more than just a persistant connections. What IE is doing is sending the request for the page *before* any sending SYN or ACK packets that every TCP/IP application is supposed to send.

I think you'll find that the request is sent with the connection request, and is perfectly legal TCP/IP.

The thing is, BSD sockets doesn't let you easily do this.

Most Unix apps do this:

SOCKET s = socket(...);
s.connect(...); .. note: the connect request does not return until it has been acknowledged.
s.send(...);

What IE is doing is this:
SOCKET s = socket(...);
WSAConnect(...); ... where the WSAConnect call has data it will send with the connect packet inside it.

This is ALL perfectly valid TCP. Remember; the flags in the packet are what determine how to handle the incoming packets; the data is handled separately. You can quite happily send data with your connect request, as long as you're willing to accept that the request may well fail.

Simon

another case of special interaction of IE & II

[CySurflex]

I had a problem with IE & IIS I had to deal with a few years ago. We used a server side redirect, and it would break sometimes on IE 4, it worked fine on the rest of the browsers. It turned out it was a bug, in the way IE interacted with IIS.

it's documented here: "Object Moved Error"

Re:slashdotted

[kasperd]

We have this remarkable thing called e-mail.

You might not always be able to find the right address, even if there is an address on the page it might not be the right person to ask about bandwidth.

People pay for bandwidth.

I'd avoid those ISPs where you have to pay for the amount of traffic. Signing a contract where you have to pay for something where the price is completely out of your control sounds like a bad idea to me.

Re:slashdotted

[/dev/trash]

1. true.
2. well if it's say a geocities site, they have an idea, I'd say.
3. Been here very long? Dupes and old news IS Slashdot.
4. Can you trust a cut n paste?
5. Read the Kuro5hin article and you'll see that, yes people sometimes do like being Slashdotted.

Re:IE and IIS probably coded with MFC

[einhverfr]

Also I was once talking with a former MS Exchange developer. He said that since Exchange shipped separately from Windows, they were restricted to documented API's.

IIS and IE ship as part of Windows and so would not be subject to this limitation.

Re:slashdotted

[CaptainSuperBoy]

I'm surprised you fell for that, it's a really bad attempt at a troll.

i'd like to see...

[drDugan]

something I can run on my apache server that rejects clients that don not follow the rfc for tcp/ip, and hence rejects ie

I've toyed with blocking based on agent string, but that seems cruel and stoops to the level of MS...(who do this regualrly) and besides, it goes against my beliefs of software choice... however, it would be nice to redirect peopel to a page that says, "Your browser is not standards-compliant"

Re:i'd like to see...

[Biedermann]

Well, you'd be blocking me, since my browser claims to be "Notepad 2.1". (Which doesn't wash too well with some sites...)
But what I'd *really* like to see is an easy way to tell Webmasters "Your site is not standards-compliant".

(Even Slashdot editors don't care about this and delete warnings about crappy sites from posts)

That's obviously wrong.

[raehl]

There is no such thing as a competitor in Redmond.

Re:slashdotted

[coupland]

Retorts to some very silly arguments:

1. Slashdot is a hosting site in that I can create my own journal on it and they have free membership.

Irrelevant and immaterial. This has nothing to do with my comment that /. is not a hosting site, it is not.

2. Common sense will tell you that if you aren't linking to a major, well known website or some sort of .edu site that it probably cannot handle it

Then you should not post your content into the free and clear public domain where there are no controls to stop people from viewing it. It's Slashdot's fault if you post shit with no security and lots of people click on it???

3. Sorry if you have no patience, but if you're expecting someone else to find news for you then you're already adding what should be, to you, an intolerable delay and instead you should be out combing the web to find news long before it shows up on slashdot.

If Slashdot didn't post current news then their competitor, Ampersand-tilde would. And ampersand-tilde would become the most travelled site on the internet and you would bitch at them for the ampersand-effect. Are you too dumb to realize this?

If you don't like Slashdot then don't read it and fer chrissake don't post in the messageboards. Do you genuinely think you're protesting Slashdot by hanging in their forums?

Re:Sounds pretty decent...(MISUNDERSTAND? You do.)

[cervo]

First of all, the article leaves out if the URL was visited previously in the browsing session, or it was a first visit to the URL. Secondly it Does NOT MENTION a specific test with IIS. The article says what IE's teardown sequence looks like, but does not cite a full trace of an IIS server. It is basically a bunch of speculation and conspiracy theory, or the authors were in a hurry. It definitely was NOT scientifically conducted.

I HIGHLY DOUBT that Microsoft would make the connection to an IIS server between Internet Explorer and IIS lose the reliability of TCP. Images and other large files would be a nightmare to get without acknowledgements.

What I think may be happening(ingenious YES and no, read on), assuming the article isn't all just conspiracy theory, is that Internet Explorer visits a website, and leaves the connection open. Then you hit the back button(which is used extensively in web browsing) or you go to other links on the same web server. Because the client doesn't close its end of the TCP connection(REMEMBER TCP IS FULL DUPLEX), half of the connection is open. The client can just send the request immediately, the sequence numbers were already assigned, because the connection was NOT CLOSED. What support is there for my view?

1. ".And that's it. The client doesn't FIN, and the server doesn't ACK. In other words, the connection is kept "half-open" on the server end. The reason for this? Why, to make subsequent connections from IE clients faster." What is this saying? Quite simply subsequent connections would be faster by leaving it open.

2. The article goes on to show IIS's server's sequence, how it shuts down but the client leaves its upstream to the server open.

It's definitely a trade off. It means YOUR computer as well as the IIS server keeps track of the connection. For a one shot deal on a server(frequently for slashdot users), the connection being left open is a waste. Eventually it must time out, but it does eat up some server resources and it would make the slash effect worse on the machine.

The article doesn't mention what non IIS servers do. If the client(IE) doesn't FIN its end of the connection, the connection is not closed. Do other servers time out? I do notice that when web browsing there are a lot of open connections in a timed wait when I use Internet Explorer. I don't think they all use IIS. In this case, their speedup would work on any client. But I am not knowledgable enough about what Apache/other http servers do to know for sure. In my TCP/IP class a year ago in college we discussed the FIN ACK sequence both ways, but didn't discuss what happens if the client decides not to FIN(aka doesn't follow the rules) by most standard servers. It is probably a design decision. Also what does MS IIS do on the first connection? It would probably be best to respond immediately with that packet so the client could immediately open the connection. And the super slow pages could be on servers that don't answer at all so IE has to wait for the request to time out. Essentially what this article is saying is that Microsoft Internet Explorer is a resource hog. But we all knew that already, that's why we call it Internet Exploiter.

Re:Who cares?

[kasperd]

(LinuxFromScratch) mozilla build howto:

Is that site slashdotted too? I cannot get to the page.

And BTW I think that security problem probably only applies to public accessible browsers. As long as you run the browser under your personal userID, I think there is no need to worry.

Double Standard

[Effugas]

Whatever. Y'all seem to like it when *I* screw with TCP :-)

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Double Standard

[prizog]

You document it so everyone can benefit.

You don't do it to cement a monopoly.

closer look at the TCP teardown procedure

[kelnos]

Last time I checked, most web servers could reject persistent connections.

Speaks pretty poorly of the server (or network architecture) if your only recourse is to say "it's the client's fault!"

this isn't the same deal. based on the TCP specs, here is what a server (or client, for that matter) is supposed to do when it wants to close the connection:
1) send FIN
2) wait for ACK
3) wait for FIN
4) send an ACK
if the server never receives the FIN in step 3, it assumes that the client wants to keep the connection open for some reason. this is _correct behaviour_ with regards to the TCP spec. if this article is correct, MS is merely exploiting the TCP spec to its advantage. yes, it's dirty and wastes resources, but it works.

the thing that bothers me tho, is this is what should be happening on the server end (a non-IIS server, that is):
1) send FIN
2) wait for ACK
3) ok, got ACK, now wait for FIN
4) (after timeout) hmm, no FIN, must have been lost, so we'll resend our FIN
5) client ACKs that FIN, but doesn't send its FIN
6) server thinks the response FIN is lost again, so probably resends its FIN

now the server will have a max amount of retries before it gives up and finally drops the connection (which is what it was trying for in the first place anyway). this should be a relatively low number, and the timeouts between each retransmission shouldn't be that long either. so unless IE comes back and requests another page fairly quickly, the server _should_ go ahead and drop the connection, so i fail to see how this is a problem.

the only thing i can think of is that the client keeps responding with an ACK to the server's FINs (despite not sending its own FIN), so maybe the server won't drop the connection for that reason (since the client is obviously still alive, just not responding as expected). i don't remember the TCP spec all that clearly with regards to connection teardown, so that may be where IE is able to keep the connection open.

then again, i could be totally wrong here, but i don't think so...

Re:closer look at the TCP teardown procedure

It's polite to say goodbye before you hang up the phone, but you don't have to keep saying goodbye until the other guy hangs up (unless you're in love)

Re:closer look at the TCP teardown procedure

[0x0d0a]

You realize the silliness of this when you look at not-broadband wireless computing.

What, you're talking about packet radio? Yeah, TCP/IP isn't designed for that. You also don't use it for that.

For wireless Ethernet, it makes a tremendous amount of sense -- as a matter of fact, not waiting for acks would really suck, since wireless Ethernet has relatively good latency, but has these short periods of complete packet loss or corruption.

Suddenly the chatty TCP/IP takes on this enormous liability and it looks like a foolish design. When [b]each message[/b] takes 15 to 30 seconds round trip, blowing away all the garbage and bundling requests for dozens of things in one message and one return message suddenly seems like a good idea.

How does this relate to IIS servers and the article at all?

Re:closer look at the TCP teardown procedure

[Elwood+P+Dowd]

IE doesn't exhibit this behavior with servers that don't support http pipelining/keepalives/whatever.

IIS isn't the only server that supports it, btw. Apache does, and I imagine Tux or whatever the current kernelspace webserver is supports it too.

Also, your second scenario, for a server that doesn't understand the keepalive, is, as you allow, completely wrong. If a server could be confused in such a manner, then it would be trivial to write a DoS attack for the server that would not require large amounts of bandwidth.

Re:closer look at the TCP teardown procedure

[Elwood+P+Dowd]

As other posters have pointed out, my post is informative, and wrong. This apparently is not an example of http keepalives, but rather t/tcp. A standard on a different level of the OSI model. Still totally kosher.

Workaround

[IGnatius+T+Foobar]

There are a couple of things you might want to do in order to clean up your TCP/IP traffic, if you happen to be the person who controls your organization's Linux-based firewall.

• First of all, absolutely, positively install Squid. The benefits of using a proxy cache for your outbound HTTP traffic are too clear to not do it. More importantly, however, since all your HTTP is now being application-level proxied, the TCP packets must always, always, always be correct.
• Force everyone to use it. Sure, you could block port 80 on your IPmasq, but it's a better idea to transparently redirect all outbound port 80 traffic to Squid. There's a very good mini-HOWTO document on how to do this.
• If you want to be a real bastard (like me), tell Squid to rewrite the User-agent: HTTP headers, to make every web browser within your organization report as some web browser other than IE. This has the bonus effect of "reducing" IE's market share because all those web sites think your users are running Netscape on Linux (or whatever).

Ok, that last step is kind of extreme, and I in fact had to remove it because it broke Windows Update (which I consider a feature, not a bug, but whatever...).
Of course, why do you have Windows and IE users in your organization anyway? Simply beat them with a cluestick untill they switch to Linux and Netscape. Don't let someone who claims to be a master of reality tell you otherwise -- Linux is ready for the desktop.

By the way, you should be routing all your SMTP through a Sendmail (or postfix or whatever) relay, especially if you run Exchange. This keeps your incoming mail queued up when Exchange crashes. It also prevents Exchange from talking to other Exchange servers -- or to script kiddies.

Not reproducsble with MSIE 5.0 on Win98

[pjrc]

I just fired up a vmware session with windows 98 and did a test with MSIE 5.00.2614.3500 (the one that came installed with win98 second edition, no patches or updates). Watching the ethernet with tcpdump, I did not see the behaviour specified.

I then fired up Windows XP Pro. XP sends lots of netbios stuff at startup and periodically. Very interesting. But again, nothing nearly as interesting as this article suggests. MSIE 6.0.2600.0000... also did not reproduce this non-RFC behavior.

Here is the packet log from tcpdump, with some comments. 192.168.194.211 is the Windows XP client. 192.168.194.1 is the nameserver, and 66.218.71.83 is the web server (www.yahoo.com).

First, XP asks the nameserver for the IP number of www.yahoo.com
15:19:50.426473 192.168.194.211.1026 > 192.168.194.1.domain: 2+ A? www.yahoo.com. (31)

The nameserver responds
15:19:50.702603 192.168.194.1.domain > 192.168.194.211.1026: 2 10/11/0 CNAME[|domain] (DF)

XP/MSIE sends a normal SYN packet. There is no non-RFC packet transmitted before this standard SYN packet, corresponding to an already-open connection before this as the article claims.
15:19:50.734980 192.168.194.211.1032 > 66.218.71.83.http: S 3861657940:3861657940(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Yahoo responds with a normal SYN
15:19:50.797377 66.218.71.83.http > 192.168.194.211.1032: S 3674114276:3674114276(0) ack 3861657941 win 65535 <mss 1460> (DF)

XP/MSIE sends a normal ACK to finish the connection setup
15:19:50.802506 192.168.194.211.1032 > 66.218.71.83.http: . ack 1 win 17520 (DF)

XP/MSIE sends the HTTP request (196 bytes)
15:19:50.809064 192.168.194.211.1032 > 66.218.71.83.http: P 1:197(196) ack 1 win 17520 (DF)

Yahoo responds with the first 1460 bytes of data
15:19:50.907564 66.218.71.83.http > 192.168.194.211.1032: . 1:1461(1460) ack 197 win 65535 (DF)

XP/MSIE acks it
15:19:50.919180 192.168.194.211.1032 > 66.218.71.83.http: . ack 2921 win 17520 (DF)

Yahoo responds with another 1460 bytes
15:19:50.923751 66.218.71.83.http > 192.168.194.211.1032: . 2921:4381(1460) ack 197 win 65535 (DF)

XP/MSIE acks it
15:19:50.941174 192.168.194.211.1032 > 66.218.71.83.http: . ack 4381 win 17520 (DF)

Yahoo responds with two more packets
15:19:50.999791 66.218.71.83.http > 192.168.194.211.1032: . 4381:5841(1460) ack 197 win 65535 (DF)
15:19:51.007961 66.218.71.83.http > 192.168.194.211.1032: . 5841:7301(1460) ack 197 win 65535 (DF)

XP/MSIE acks that it has received up to 7301. Notice how Microsoft is properly delaying the ack until a second packet is received.
15:19:51.013652 192.168.194.211.1032 > 66.218.71.83.http: . ack 7301 win 17520 (DF)

So there are two tests, with the MSIE shipped (unpatched) with Windows 98 SE and Windows XP Pro. It looks like there just isn't a story here.

Re:Not reproducsble with MSIE 5.0 on Win98

[MoosePirate]

You put a lot of work into that. But alas, Yahoo isn't using IIS so its all a moot point. The idea is that the combination of IE and IIS will cause this. Netcraft shows that Yahoo is running FreeBSD, and thus NOT IIS.

Re:Not reproducsble with MSIE 5.0 on Win98

[owlstead]

First of all it is not "reproducsble" but "reprecucible". Furthermore, the browser/client TCP/IP stack should start up without the "syn" packet right away. Therefore it cannot know what kind of web-server the server side is running. I must say that I have never seen one of these strange requests myself. I cannot believe this has ever been the case, or ever will be the case. Furthermore, imho Microsoft is quite nice about following HTTP standards. They have been more standardised than Netscape browsers until the 4.7 versions were replaced by - eh - mozilla 1.0 effectively :). This is a good thing too. My firewall would not allow such strange going on's in the TCP/IP connections probably (dunno, my NAT router will probably not even set up a connection without a syn package. HMMM. Maybe I should try this :). Maarten

Re:Not reproducsble with MSIE 5.0 on Win98

[TheShadow]

I think you would have to try a second request to see the behavior described. The article is talking about reusing a connection that is left half open by the client. It should be the second connection that would exhibit the behavior.

Re:Not reproducsble with MSIE 5.0 on Win98

[ZigMonty]

I have my doubts about this too but the idea was that IE is *reusing* a connection, ie. you have to have accessed the site in the recent past. You'd have to wait for the keep-alive timeout to pass first of course. Try again but this time, access the same server again after about 30 seconds (assuming keep-alive timeout is 15 secs). Probably helpful to try an IIS server as well as yahoo.

Re:Not reproducsble with MSIE 5.0 on Win98

[pjrc]

You put a lot of work into that.

Actually, it wasn't that hard. But I shoulda been more careful with my spelling in the subject line.

But alas, Yahoo isn't using IIS so its all a moot point.

No, it is valid. You should read the article more carefully.

The article claims the MSIE sends a request first before the normal SYN to establish the connection, before it knows what server is being used. The claim it waits for a RST packet (the standard behavior) from non-IIS servers, or a response from IIS.

Quoting from the article:

In other words, instead of sending a SYN packet like every other TCP/IP application in the world, IE would send out the request packet first of all. Just to check. Just in case the HTTP server was, oh, say, a Microsoft IIS server.

Re:Not reproducsble with MSIE 5.0 on Win98

[MegaFur]

*sigh* Did you read the article? According to it, if you try to connect IE to a non-IIS web-server, there should (possibly) be a slow-down as IE first tries a non-standard connection attempt. If it were true--if IE were trying to make a non-standard connection attempt first--it would be something you could spot the way this person was trying to do.

As much as I thoroughly hate M$, it seems pretty obvious IE is not cheating here.

Re:Not reproducsble with MSIE 5.0 on Win98

[pjrc]

ok, why not. I've got a bit of time tonight (girlfriend left for a business trip with early monday morning meetings).

This time, I tried www.intel.com (which is an IIS server). It is a bit more complicated because content comes from multiple servers. You'll see that on the second access, where all the content is caches and IE already knows a list of IP numbers it wants to contact to check if the cached copy is up to date.

Cutting to the chase: we see 1 connection opened in the first group of packets (I didn't include enough to see the later connections for the content from other servers) and 4 connections opened in the second group of packets when reloading the page 4 minutes later. All connections are opened in an RFC compliant manner, with no requests sent before the connection is properly opened as the article claims.

MSIE asks IP address of www.intel.com
22:56:51.812091 192.168.194.211.1026 > 192.168.194.1.domain: 7+ A? www.intel.com. (31)

Nameserver responds
22:56:51.924028 192.168.194.1.domain > 192.168.194.211.1026: 7 2/2/0 CNAME www.glb.intel.com., (105) (DF)

MSIE starts connection with normal SYN
22:56:51.931109 192.168.194.211.1048 > 198.175.96.33.http: S 3669105715:3669105715(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Intel responds with SYN/ACK
22:56:51.982576 198.175.96.33.http > 192.168.194.211.1048: S 1792107795:1792107795(0) ack 3669105716 win 8192 <mss 1460>

MSIE responds with ACK to finish opening the connection
22:56:51.982969 192.168.194.211.1048 > 198.175.96.33.http: . ack 1 win 17520 (DF)

MSIE sends HTTP request (249 bytes)
22:56:51.983879 192.168.194.211.1048 > 198.175.96.33.http: P 1:250(249) ack 1 win 17520 (DF)

Intel responds with ACK (but no data yet)
22:56:52.040913 198.175.96.33.http > 192.168.194.211.1048: . ack 250 win 8192

Intel responds with two packets, each carrying 1460 bytes of data
22:56:52.064191 198.175.96.33.http > 192.168.194.211.1048: . 1:1461(1460) ack 250 win 17271 (DF)
22:56:52.072302 198.175.96.33.http > 192.168.194.211.1048: . 1461:2921(1460) ack 250 win 17271 (DF)

MSIE acks both of them (delay ACK as per RFC)
22:56:52.072713 192.168.194.211.1048 > 198.175.96.33.http: . ack 2921 win 17520 (DF)

Intel sends more data
22:56:52.141252 198.175.96.33.http > 192.168.194.211.1048: . 2921:4381(1460) ack 250 win 17271 (DF)

MSIE responds
22:56:52.141712 192.168.194.211.1048 > 198.175.96.33.http: . ack 4381 win 17520 (DF)

Many hundred more packets occur, with connections established to other servers (opened the normal RFC compliant) way.

.

And here is view the same page about 4 minutes later

.

MSIE sends SYN to open connection to 198.175.96.33 (connection #1)
23:00:26.798508 192.168.194.211.1062 > 198.175.96.33.http: S 3723498008:3723498008(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

MSIE sends SYN to open connection to 216.203.32.78 (connection #2)
23:00:26.802485 192.168.194.211.1063 > 216.203.32.78.http: S 3723557647:3723557647(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

MSIE sends SYN to open connection to 64.154.80.51 (connection #3)
23:00:26.826112 192.168.194.211.1064 > 64.154.80.51.http: S 3723624012:3723624012(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

Notice the absence of any packet related to an already-open connection, as the article claimed. Below MSIE opens a 4th connection to another server, again using the RFC compliant SYN-SYN/ACK-ACK sequence before and data exchange takes place.

Intel respond with its SYN/ACK to open the connection (#1)
23:00:26.853681 198.175.96.33.http > 192.168.194.211.1062: S 626928500:626928500(0) ack 3723498009 win 8192 <mss 1460>

MSIE (for some reason) sends a RST and terminates connection #1. Perhaps it abandoned the connection after calling connect (or whatever MSIE calls if it's not using the normal sockets API), maybe because it didn't really need to check if the file cached from this server is up to date. Better programmers might have simply avoided attempting to open the connection in the first place, but it's certainly allowed to abandon an open like this and sending a RST packet to abort opening the connection is legal TCP behavior.
23:00:26.855874 192.168.194.211.1062 > 198.175.96.33.http: R 3723498009:3723498009(0) win 0

(#3) responds with SYN/ACK to open connection #3
23:00:26.900586 64.154.80.51.http > 192.168.194.211.1064: S 2830569043:2830569043(0) ack 3723624013 win 33580 <nop,nop,sackOK,mss 1460> (DF)

(#2) responds with SYN/ACK to open connection #2
23:00:26.909440 216.203.32.78.http > 192.168.194.211.1063: S 3187959102:3187959102(0) ack 3723557648 win 8760 <nop,nop,sackOK,mss 1460> (DF)

MSIE sends ACK to finish opening connection #3
23:00:26.912141 192.168.194.211.1064 > 64.154.80.51.http: . ack 1 win 17520 (DF)

MSIE sends ACK to finish opening connection #2
23:00:26.914312 192.168.194.211.1063 > 216.203.32.78.http: . ack 1 win 17520 (DF)

MSIE transmits HTTP request (331 bytes) on connection #3
23:00:26.917184 192.168.194.211.1064 > 64.154.80.51.http: P 1:332(331) ack 1 win 17520 (DF)

MSIE transmits HTTP request (267 bytes) on connection #2
23:00:26.919711 192.168.194.211.1063 > 216.203.32.78.http: P 1:268(267) ack 1 win 17520 (DF)

connection #3 reponds with ACK to the request
23:00:27.009910 64.154.80.51.http > 192.168.194.211.1064: . ack 332 win 33580 (DF)

connection #3 reponds with FIN (close connection) - delivered out of order by the internet!!!
23:00:27.010734 64.154.80.51.http > 192.168.194.211.1064: F 517:517(0) ack 332 win 33580 (DF)

MSIE responds with ACK at byte 1 (saying it hasn't received the data yet)
23:00:27.013719 192.168.194.211.1064 > 64.154.80.51.http: . ack 1 win 17520 <nop,nop,sack sack 1 {517:518} > (DF)

connection #3's data finally arrives (presumably server send this before the FIN but it was delivered out-of-order)
23:00:27.017008 64.154.80.51.http > 192.168.194.211.1064: P 1:517(516) ack 332 win 33580 (DF)

MSIE responds with an ACK that is received all 517 bytes. Obviously HTTP/1.1 is in use here and the response with something like a 304 telling MSIE that the copy it has in its cache is up to date.
23:00:27.019072 192.168.194.211.1064 > 64.154.80.51.http: . ack 518 win 17004 <nop,nop,sack sack 1 {517:518} > (DF)

MSIE transmits FIN to close connection #3
23:00:27.022234 192.168.194.211.1064 > 64.154.80.51.http: F 332:332(0) ack 518 win 17004 (DF)

MSIE decides to open a 4th connection, and again uses a standard SYN packet
23:00:27.026125 192.168.194.211.1065 > 64.154.80.51.http: S 3723719998:3723719998(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

connection #2 ACKs the request, but does not send any data yet
23:00:27.035684 216.203.32.78.http > 192.168.194.211.1063: . ack 268 win 8760 (DF)

connection #2 sends FIN (connection close) at 441st byte (delivered out of order)
23:00:27.081678 216.203.32.78.http > 192.168.194.211.1063: F 441:441(0) ack 268 win 8760 (DF)

MSIE sends ACK at byte 1 (didn't receive the 440 bytes) to connection #2
23:00:27.083705 192.168.194.211.1063 > 216.203.32.78.http: . ack 1 win 17520 <nop,nop,sack sack 1 {441:442} > (DF)

connection #2's 440 bytes of data arrive
23:00:27.087099 216.203.32.78.http > 192.168.194.211.1063: P 1:441(440) ack 268 win 8760 (DF)

MSIE sends ACK for all 440 bytes (again, probably a HTTP 304 response)
23:00:27.089153 192.168.194.211.1063 > 216.203.32.78.http: . ack 442 win 17080 <nop,nop,sack sack 1 {441:442} > (DF)

MSIE sends FIN to close connection #2
23:00:27.092288 192.168.194.211.1063 > 216.203.32.78.http: F 268:268(0) ack 442 win 17080 (DF)

connection #3 sends another ACK (I'm not exactly sure why)
23:00:27.096392 64.154.80.51.http > 192.168.194.211.1064: . ack 333 win 33580 (DF)

(#4) responds with SYN/ACK to open connection #4
23:00:27.100604 64.154.80.51.http > 192.168.194.211.1065: S 1240818516:1240818516(0) ack 3723719999 win 33580 <nop,nop,sackOK,mss 1460> (DF)

MSIE sends ACK to finish opening connection #4
23:00:27.101961 192.168.194.211.1065 > 64.154.80.51.http: . ack 1 win 17520 (DF)

MSIE sends HTTP request (333 bytes) on connection #4
23:00:27.112355 192.168.194.211.1065 > 64.154.80.51.http: P 1:334(333) ack 1 win 17520 (DF)

.

So, there you have it... a test viewing the same page twice (though the article mentions MSIE tries this speculatively) and done with an IIS-based website (though the article claims MSIE tries this with all sites and it slows down with non-IIS and speeds up with IIS).

All the connections are opened here in an RFC compliant manner.

Re:Not reproducsble with MSIE 5.0 on Win98

[pjrc]

I think you would have to try a second request to see the behavior described.

I did. here is the message.

The article is talking about reusing a connection that is left half open by the client. It should be the second connection that would exhibit the behavior.

It talks about this approach working because IIS (supposedly) doesn't close connections fully (it actually did in my tests). But it claims MSIE sends this speculatively, hoping that a server might accept the request.

In any case, I had some time to kill tonight, and didn't feel like doing anything productive, so I repeated the test and annotated the packet log... which was quite a bit more work because MSIE opens many connections concurrently when verifing cached content (and it already knows the server IP numbers from the cache).

Still, you will see 4 connections opened, all in the normal way (well, one is aborted before fully opened, but still legal behavior though non-optimal). You'll also see two connections fully closed (FIN in each direction), so the part about connections being left half open is also not reproducible.

Re:Not reproducsble with MSIE 5.0 on Win98

[ZigMonty]

OK fair enough. I'd have checked it myself but I'm on a Mac.

Re:because we can

[coupland]

So what you're saying is that it's the fault of Slashdot for their "criticize, condemn, and crash" strategy even though you then turn around and blame it on the "H1B monkeys"... Yes, it's the fault of all these immigrant monkeys, you hit the nail on the head. Has it ever occurred to you that these immigrant "monkeys" are stealing your jobs because you're a race of fat lazy shits, not because they're monkeys????????

Re:slashdotted

[chunkwhite86]

Your correct! No, they are not the ones responsible.

Guns don't kill people - people kill people.

And tell me why I am a non-smoker when I've been exposed to all the same tobacco advertising and peer-pressure that everyone else has?

Because I am responsible for my own actions. Thats why.

Blaming tobacco companies for smoking and gun manufacturers for gun related violence is a wimpy escape for weak minded sheep who have no sense of personal accountability.

I suppose you also think that Mac Donalds is responsible for all the fat-assed Americans being so fat? And maybe the rope manufactueres are responsible for all the suicides commited by hanging ones self?

Re:so what?

[da_Den_man]

It is called :

# HTML support

# URI parsing that's RFC-2396 compliant

# Cookies support, RFC-2965 compliant

# XHTML 1.0 rendering

# Plain text rendering

# Image formats support: PNG, JPEG and GIF (no animated GIFs)

# HTTP 1.x Compliance

RFC / W3C STANDARDS

Even more interesting.....

[inKubus]

What is much more interesting is what IE does AFTER it sends that first request without opening the connection... You know the lovely MSN Search page it loves to pop up? Everytime IE encounters (for the first time in each session) a non-IIS server, it promptly connects to MSN Search and submits the website address....

You are being watched, friends.

Re:Even more interesting.....

[jon787]

Oh he's just joking about what IE does if it can't find the server to connect to. When it can't connection it runs a search on MSN for the domain name.

Re:Even more interesting.....

[Jimmy_B]

Everytime IE encounters (for the first time in each session) a non-IIS server, it promptly connects to MSN Search and submits the website address....

Either this depends on a specific option being set or using a specific version of IE other than the one I have, or this is an outright lie. I just watched a packet dump of IE making an HTTP request, and there were no suspicious extra IP addresses involved in the transfer (just myself, the nameserver, and the server requested).

Hey, this is Microsoft

[Alien+Being]

Is there anyone out there who really expected their *handshake* to mean something?

Hey, these are age old tricks

[deanj]

People seem to forget (or forgive) things back when Netscape was doing all kinds of crap, including inventing new HTML back when everyone else was trying to standardize on things.

People were quick to forgive Netscape, but not so quick to forgive MS. I hate MS as much as the next guy, but all this umbrage is amusing when related to days past.

Re:slashdotted

[LostCluster]

2. They have no way of knowing if a site can't handle the load.

Here's an easy to automate solution...

1. /. grabs a copy of the linked sites nanoseconds before posting the story, just in case.
2. Have a "report dead link" option next to new stories. (Those who abuse this feature can pay in karma.)
3. If too many users report the link as dead, /. starts substituing the mirror link for the next hour.
4. After time's up, the link reverts back to normal. If the complaint threshhold is reached again, the process repeats.
5. Once a link has survived 12 hours without need for the mirror, the mirror page can be deleted, because the worst is now over.

If anybody doesn't want that mirroring service, /. can honor the same robots.txt standard that keeps sites out of Google's mirror as well. Furthermore, /. can "whitelist" the freequently-linked commercial sites like CNN, Wired News, Washington Post, and etc. who should be big enough to handle things on their own, and therefore wouldn't want the mirror anyway.

deliberate?

[tuzen]

In any sufficiently complex software, there are bugs. One should certainly entertain the fact that this behavior is accidental. Not everything MS does is deliberate, and I find it entertaining that so many folks assume their 'enemy' is malicious and organized.

Re:IE and IIS probably coded with MFC

[markbthomas]

Ahhh, I get it now: "we can't remove IE from Windows, because then it wouldn't get all of its naughty speed hacks..."

Re:MSIE is to blame!

[Ageless]

Since when was there anyone else... that mattered? :)
Majority rules baby. Live with it or do something to change it.

Re:slashdotted

[dubl-u]

2. Have a "report dead link" option next to new stories. (Those who abuse this feature can pay in karma.)

You could do even better.

Just before a story goes up, it would be easy to load-test the site. They could hit it with, say, 500 parallel requests.

If it passes that, then the story goes up as normal, but Slashdot checks the site every minute. If performance drops off substantially, then n% of Slashdot readers get a link to the mirror. If the site is stil slow, n is increased until the site is reachable.

Then, n is allowed to decay over time; if it goes too low, the automatic monitoring would bump it up again.

And then for dessert, we can write a peer-to-peer mirroring system, so that Slashdot doesn't have to pay out for the extra bandwidth.

Hmm... This sounds fun. If anybody has the connections to get this incorporated into the Slashcode used on Slashdot, let me know; I'd be glad to work on the monitoring, mirroring, and sharing stuff.

Re:slashdotted

[schlach]

the best comment on that was the first one I saw, here

Search engines look at robots.txt, maybe a similar txt file could be placed that is meant for metanewssites or similar stuff. Let's call it mirror.txt and you put in there something like

temporary=yes
validity=2days

etc. That way smaller sites could indicate that they want to be mirrored to esape being slashdottet.

Re:slashdotted

[LostCluster]

My plan was designed so that /. itself would never request the page more than once, and it would rely on the users to report a failure. The problem is, 500 requests within a span of a few seconds can bring down some small servers, particularly if the page is dynamically generated. /. could be accused of launching a DOS in the name of load testing. The idea is to reduce the number of hits a weak server takes, not add 500 to the number /. is about to throw at it anyway.

Re:slashdotted

[1u3hr]

3. Waiting for a mirror to appear would make news show up incredibly slow.

They don't need to wait for a mirror to appear -- just send an email to the site owner warning him and giving info on how to arrange a mirror should he so want.

4. The community automatically mirrors or pastes content that has been /.-ed you just need to spend 2 seconds reading the comments.

Sometimes. 5. The guy with the Lego site is probably tickled pink that his site just got a billion hits and probably doesn't mind things crawling to a halt for a while. It's his 15 minutes of internet fame.

Yes, especially if he has some banners or such he's earning money from, he may bitterly resent having his content displayed elsewhere without his ads.

EBAY!

[sstamps]

I wonder what maxed-out karma /. accounts are going for on e-bay? Move over, EQ/AC/UO! /. accounts for sale!

Yeah, yeah; off-topic. I think it goes without saying that MS needs a good thrashing about the face and neck over crap like this. Worst part is, if someone writes a server that follows network specs 100% and takes no crap from non-compliant (read: MS) clients, causing them to fail to connect to said server, then would Microsoft have succeeded in their quest to "embrace and extend"?

The question is, who will stop them? How many kludges are already in server programs like Apache that had to be put in to cope with Microsoft's shenanigans?

Re:Who cares?

[nojomofo]

Don't you mean .95 * .3 == .285??

Re:slashdotted

[dubl-u]

500 requests within a span of a few seconds can bring down some small servers, particularly if the page is dynamically generated. /. could be accused of launching a DOS in the name of load testing.

Good point. Better to use a slow-start algorithm on your worker threads so that you can gradually discover the maximum hits/s that the server can handle. Then if that number is lower than the peak expected, the Slashcode can turn on the n% mirroring right away.

The trouble with waiting until users report it is that you are guaranteed to bring down the weak servers. Slashdot is already accused of being a DOS attack tool; they might as well own up to it and try to make it behave a little better.

Are we being taken for a ride here?

[LostCluster]

I see several posts here claiming attempts to duplication have failed...

Is the original article B.S.?

speaks poorly of the client

[SHEENmaster]

If it won't follow the standard. If I make an http client that sends "TEG index.html HTTP/0.9" instead of "GET index.html HTTP/0.9" can I bitch when IIS and Apache don't support it?

As a summer job I had to make a Java applet that would let the user design a sign, preview it, then order it by sending an email through a M$ outlook ESMTP server. I won't go into the specifics, but I will say that it violated several parts of the ESMTP spec. It was lenient in some areas and strictly adhering to its mistake in other areas.

I won't go into how IIS had to be reinstalled weekly or how M$'s VM was too horridly incompliant with Swing(needed for advanced font crap) for compatibility to be a possibility without writing my own windowing toolkit!

Consider this a rant if you wish, but please realize that I dealt with too much bullshit from that monopoly to keep my mouth shut and stay in their crooked little line.

Re:speaks poorly of the client

[kasperd]

If I make an http client that sends "TEG index.html HTTP/0.9" instead of "GET index.html HTTP/0.9" can I bitch when IIS and Apache don't support it?

But if you then instead use simple requests just containing "GET /" can you then bitch when IIS and sometimes Apache don't support it?

Re:If you don't like it, don't use their products.

[yerricde]

And another thing: don't use Internet Explorer even if it is built into Windows.

No other web browser supports the ActiveX controls required to download security patches from Windows Update.

Re:DNS is a possibility

[MillionthMonkey]

When trying to connect to an address of form 1.2.3.4, the program would halt for some twenty-thirty seconds before proceeding.

IIRC this was a problem with Sun's implementation of InetAddress.getByName() on Windows. When passed a string containing a dotted numeric quad, it stupidly tried to do a DNS lookup on it instead of simply filling in the four bytes and handing you an InetAddress. Because who knows- maybe someone registered "192.168.1.23" as a domain name! (Which would be akin to registering "microsoft.com" with a Cyrillic "o", but never mind.) Then of course your thread stalled inside InetAddress for half a minute while it waited for the DNS timeout. This makes me suspect that Sun's code was waiting for the successful DNS response and ignoring the failure response that actually arrived. Probably the same moron was responsible for both bugs. Editing the hosts file became the standard workaround.

I don't know when it got fixed but there's code in there to check for a dotted quad now.

Re:slashdotted

[chunkwhite86]

I agree 100%.

There is no good solution at the moment. But a good solution could possibly involve some sort of adaptive bandwidth throttling done on the server side to avoid getting a huge over-bandwidth charge.

Agreed about the guns and rioters, but viewing web pages (even by hordes of geeky /.ers) for (mostly) educational purposes is hardly criminal - It's a technological problem with no perfect immediate solution.

Re:but... firewalls??? proxies??? caches??? netsta

[Dyolf+Knip]

Right. Keep Alive is a standard aspect of HTTP. This nonsense is being done on the TCP/IP level.

horse manure...

[Supp0rtLinux]

Whoever wrote this and his 'team' are tards. What they were seeing was a keep-alive (persistent) connection, or a persistent connection...it's total BS that IE would ever send a request to a host without a connection already being open. IIS just allows for persistent connections...when you hit blah.com, you open the sock, send your request and all and specify keep-alive. Now, the socket just stays open, so when they hit another page on the same host, they send a request to the already-open socket without the initial 3-way handshake since they've already done that. If it was true that IIS allowed IE to get a page without a 3-way handshake first (not that the Windows TCP/IP stack would even _allow_ that packet to get through because it's based off of the BSD TCP/IP stack, and a 3-way handshake _must_ be done before any data can get to a user-land socket..and not like any NATed routers would let it through, either), it would allow total TCP hijacking and DoS's But it's always nice to see that people who don't know jack are able to post stuff to slashdot ;o

Re:slashdotted

[Nogami_Saeko]

Why not just have operators add a default file to their site, sort of like a robots.txt file?

Something like:

mirror.txt (allow_automatic_mirror:true/false)

Seems like an easy solution?

N.

portuguese for 'black', dumbass

[ChrisCampbell47]

His email is in the .pt TLD, for Portugal.

Translate it. Is any use of the word "black" now considered racist?

Yeah, I know, I've been trolled ...

Speed where it matters

[Rui+del-Negro]

Exactly. The difference between rendering a page in 0.5 seconds and rendering it in 0.3 seconds is irrelevant. But things like Ctrl+Shift+Click (open in background), the way the cursor jumps to the address bar when you hit Ctrl+N, searching for selected text on the net directly from the context menu, zooming in on pages, etc., are things I find really hard to live without.

Unfortunately, while Opera 7 (beta) has much better support for dynamic HTML / CSS / DOM (nearly as good as Mozilla), the interface is still nowhere near as polished as Opera 6's.

RMN
~~~

Re:MSIE is to blame!

[bobthemonkey13]

That's a little different. Keep-alive connections in HTTP still have the normal TCP connection startup (SYN - SYN/ACK - ACK) and teardown procedures, it's just that they last for multiple transactions. A keep-alive connection is generally closed after the page, including all embedded content, images, etc is loaded. What IE and IIS are doing is most certainly non-RFC: they are keeping the TCP connection half-open between page views, even though they "close" the connection at the HTTP level with a "Connection: close" header. Then, it can be reopened directly later, without worrying about any of that "reliability" and "stability" and "standards" crap. Yay for the Microsoft Monopoly! Next thing you know, they'll distribute broken/nonexistant Java VMs to get people to use their own proprietary, insecure technology.

Oh wait.

Re:slashdotted

[akmed]

Sorry about the combative tone of my last comment. I wrote it and thought I hit preview yet it submitted it anyway. Ohh well. Anyway, I'd still argue that slashdot is a hosting site, they just do free hosting on a limited basis. Your second argument seems a bit odd. You seem, unless I'm misreading you, to advocate that everyone build electronic gates to their sites lest someone discover it. The fact that I don't have a gate around my yard does not mean that I'm inviting the world to come onto my property. However people with business to transact (such as UPS or Fedex) or friends of mine or other such expected visitors or even the occasional unexpected visitor are welcome to stop by and transact their business or talk to me. But I'd be pretty annoyed if the UPS guy told one of his buddies to invite everyone possible to come party at my house and to invite all their friends because the party is expected to be a megabash and maybe my house'll burn down or my lawn will be destroyed but that's ok because I can rebuild/re-sod it, right? We shouldn't need to gate off the internet just because some people out there think it's just fine to invite everyone to my website without even asking me. It's not hard to ask permission. And slashdot is not known for their current news but for their interesting news. That's why they don't have reporters who investigate but instead wait for submissions and review those submissions all in good time and not immediately (though sometimes it is pretty instant, it just depends). I do like slashdot but its because of their sometimes interesting stories, not their manners. I'm not asking for miracles, I'm asking for courtesy such that people who do write interesting things don't feel compelled to hide their work behind elaborate fences and gateways to keep out random websurfers. You wouldn't want me to invite many thousands of people to party at your house without discussing it with you first, would you?

Re: HTTP over UDP? Just say no...

[theNetFreak]

You really don't want to do that. HTTP over UDP is simply a bad idea... Why? In order to meet the most basic needs of a stream reliant protocol (ala HTTP) you need a few things:

1. Reordering (No guarantee packets arrive in order)
2. Retransmiting (Detect lost packets and resend)
3. Speed throttling (Packets go too fast -> router interface buffers overflow -> packet dropped)

It is of course possible to write a protocol on top of UDP to do these things, but thankfully we don't have to as someone did the work for us... it is called TCP.

I suppose if you wanted to use a HTTP/UDP mechanism for very short communication only (read: one request packet, one reply packet) then those issues aren't relevant, but otherwise leave the heavy lifting to TCP or other stream based IP protocols.

Data after FIN shouldn't be allowed

[Krellan]

The 4 steps when the server finishes sending data and closes the connection, from the article:


Client Server
<-- FIN
ACK -->
FIN -->
<-- ACK


When the server has no more data, it sends FIN.

The server should not be allowed to send more data after the FIN! This is a violation of the TCP spec. Otherwise, how would clients truly know whether or not the server had more data to send?

TCP does support something called "half close". It is possible to indicate that you have no more data to send, but that you are still willing to receive data. This is why both sides must send FIN, in order to cleanly close the connection. If one side sends FIN but the other doesn't, the connection remains open, but data can only flow in one direction (sending from the side that did not send the FIN). This is useful for cleanly shutting down connections and making sure that both sides receive all the data they were expecting.

In the example from the article, when the client receives a FIN but does not send a FIN of its own, this is legal: the TCP connection now is one way, and data can only be sent from the client to the server. The server is not allowed to send more data. So, if IIS is doing this, it is breaking the spec. It is important to note that the client is doing nothing wrong in this case.

Re:slashdotted

[CaseyB]

As the owner and operator of a small commercial web hosting outfit

How did you manage that, while being too stupid to understand bandwidth throttling?

RTFA

[ZigMonty]

How many of you fucking idiots are going to keep posting the same bullshit?

Read some of the other comments, especially the ones in response to other comments like yours.

Whether or not this is true, it is *not* HTTP pipelining, keep-alive or any other *HTTP* level method of persistent connections. When the server times out and closes the connection, IE doesn't do the same. If it needs the same site again it just sends the request on its still open socket. If the server is IIS, it will reopen it's side (somehow) and return the requested page, instead of sending a reset like it should. I don't know if IE and IIS actually do this or not but *that* was what the article was talking about. It's a TCP level hack.

If you're going to whore, at least make sure it is relevant.

Re:RTFA

[ZigMonty]

Sorry.

It still isn't pipelining. It may be badly implemented persistant connections but i can't see how it could be pipelining. I agree completely with your analysis but you can't deny that the parent was just karma whoring. My main objection was that keep-alive != pipelining and that the parent just cut and pasted from somewhere else.

Re:Who cares?

[banzai51]

Ok, now would all the rocket scientists here explain to me why IE loads apache pages just as fast as IIS pages? And way faster than Mozilla? This smells like FUD from Open Source land because there isn't a speed difference based on the server OS. IE renders pictures much faster than Netscape/Mozilla, that is the difference. God forbid if Microsoft actually codes something better than open source or it's competitors. So it HAS to be standards breaking! Wonder how they got the Apache group to comply?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Persistent Connections

[Reziac]

Does this go both ways? I don't use IE, but I've noticed that sometimes I can't seem to get NS loose from some servers (the connexion stays open until NS has been shut down for several minutes).

Regulating IE Use

[0x0d0a]

That's right, who cares if it violates standards to do so? I run Windows! All bow before me! Fuck the rest of you that don't run Windows!

I run stop signs--it gets me to work quicker! Who cares if I break the law--as long as I get there!

The difference is that with running stop signs, the community has recognized issues with the behavior, and goes out of its way to increase the cost of this behavior (police cars, fines, tickets, license revocations).

This hasn't happened with MS deliberately violating standards (not sure they were in this case, though it's definitely happened in the past). The problem is that because so many people use IE, simply blocking IE from downloading pages from your server usually doesn't work very well.

A better solution is to give perks to the other people. Not infrequently, Linux versions of software are less expensive or free (I was just using icc the other day, for example). Instead of trying a zero-tolerance policy, it's better to give people little perks for engaging in the behavior you like.Regulating IE Use.

Re:Who cares?

[0x0d0a]

You bitter or what? Seriously...he said basically "Moz has tabbed browsing, which makes it better than IE".

You then go "Opera is a pioneer, and Moz is just a robber. Plus, IE is going to do the same soon, so it's no benefit."

If you haven't tried Moz recently, I'd suggest doing so. At one point, it was dog-slow and I used Opera too. But those days are long gone, and Moz's compatibility is better and performance on roughly the same level (at least in the Linux version of Opera).

Plus, Moz doesn't force you to use MDI. God, I hate MDI. Sucks horribly with multiple viewports (even when I'm using Windows, I gotta have a pager).

Re:Who cares?

[0x0d0a]

I don't know anyone that likes AutoComplete, actually. Everyone I know disables it (and the "password manager").

Re:Who cares?

[0x0d0a]

Business is business...

Yet I stop hearing this from Windows people when people write worms and exploits for Outlook or IE or Word.

All depends on which shoe the foot is on, doesn't it?

Re:Who cares?

[0x0d0a]

How about popup blocking (doing this in a proxy, as one must do on IE, is slower and less reliable)?

Severe holes in IE security

[0x0d0a]

Last summer I was using IE's FTP client. I had "do not save password" enabled, yet even after rebooting, IE automatically entered the password when reconnecting. I was running the lastest version of IE available through Windows Update (probably 6.x).

Which probably means that on the machines of IE FTP users have a bunch of their passwords sitting around somewhere.

The Register not reputable?

[0x0d0a]

I don't read The Register very much, but I wasn't aware that they didn't have a good reputation. This true?

Re:dumb question

[spectecjr]

In my case I'm using TCPViewPro from www.winternals.com (or there's the freeware version from www.sysinternals.com)

Others may be logging them on their firewall/routers.

Simon

We don't need no stinking transport layer!

[stinky+wizzleteats]

Method A - what TCP session? Just send the request!

Method B - initiate TCP handshake and begin legitimate conversation.

So what you're saying is that since method A is going to fail if attempted through a stateful firewall, Every corporate customer of Microsoft has to wait until method A fails for every single outbound web connection, regardless of the server, so that joe sixpack with a modem will think M$ is the shit.

Unless of course, you don't run a firewall. Trustworthy computing, anyone?

I wonder if the mindless millions of corporate tools who've standardized on IIS/IE have any concept of this.

This MAY be the first time a FP got a score of 5!

[gatesh8r]

Mark this down on the calanders everyone...

Re:Borwser Wars

[Zontar+The+Mindless]

> I have made MANY web sites that validate (strict) and they look right on IE and Opera, but not moz/netscape.

Passing the HTML validator != "correct". (This has been pointed out before. Wish I had a link to one of the relevant convos/posts.)

Mozilla's CSS compliance runs circles around MSIE's, and is a hair better than Opera's. For example, MSIE does table CSS totally wrong. Well... that's not quite true: actually it doesn't do real table CSS at all.

There's boatloads of the CSS-2 spec that MSIE simply ignores.

And there are also plenty of sites out there whose HTML and CSS both validate fine, but that have bad document structure, using various hacks to achieve a given "look" whether or not things are intended to be used that way.

Re:MSIE is to blame!

[crashnbur]

If the majority really ruled, than Al Gore would be President. Fact is, the majority is only right when it can do something about it or when it isn't wrong (or else how would desegregation have ever happened?)...

Wrong for so many reasons...

[NFW]

It is preposterous to expect slashdot to be responsible for linking to someone else's site.

It is preposterous to apologize for an organization that unleashes a DoS attack on several servers every freakin' day.

By putting content on the WWW, you are explicitly allowing others to visit your site.

By having an email address you are explicitly allowing others to spam you with penis extension and make.money.fast schemes. Right?

Not everyone has bandwidth that is metered.

Not everyone has unlimited free bandwidth. In fact, I'd wager that such sites don't even exist, excepting maybe www.quest.com and the like.

And don't nobody bring up the red herring about 'legal issues with mirroring.' If you offer to mirror, and they agree, there are no legal issues. If you offer, and they content owners declines the offer, then you don't mirror and there are no legal issues. Bottom line: there are no legal issues with mirroring.

In the latter case, nothing changes. In the former case, /. readers would actually be able to see what /. links to, without waiting a couple days for the stampede to pass. Imagine that! Slashdot, but with readable content in every link. Slashdot readers would have a better exerience, site operatores would have fewer DoS attacks, and everybody would be happy. Well, everyone but the slashdot people, of course... they'd have to (gasp!) ask permission to mirror and maybe actually (egads!) mirror a few pages before posting some of their stories. Oh, that extra work would be un-freaking-bearable.

So, DoS it is!

This is getting ridiculous

[zjbs14]

700+ comments, 95% of which are:
- MS sucks for breaking RFC's
- Apache should do something about it
- Users of IE are clueless morons.

All of this because some blogger can't read a packet trace correctly. Everyone in the thread who's actually TRIED it (the other 5%) hasn't seen this behavior.

There's no way anything's going to work if IE doesn't send a SYN. Nothing, Nada, Zip. It just won't happen. Firewalls, NAT, transparent proxies would kill it. IIS isn't going to care, the TCP/IP stack won't even let it get there. Same goes for Apache. Get THE book on TCP/IP and find out why.

I think this thread is a prime example of what Slashdot has become. Never mind news for nerds (definition not limited to the Linux crowd) and stuff that matters. We'll post anything as long as it's anti-MS.

Re:This is getting ridiculous

[JoeSmack]

700+ comments, 95% of which are:
- MS sucks for breaking RFC's
- Apache should do something about it
- Users of IE are clueless morons.

All of this because some blogger can't read a packet trace correctly. Everyone in the thread who's actually TRIED it (the other 5%) hasn't seen this behavior.

Damn, right!

Don't forget the people who keep posting, "isn't this T/TCP? No, I don't have any idea how standards work." Or the, "Everyone here is a moron because this is just pipelining/keep-alive. Uh. I have no clue what you mean when you say, 'HTTP is written on top of TCP/IP and shouldn't affect TCP handshaking.'"

I agree, this is getting absolutely ridiculous. Please everyone get off your anti-MS high horses, take the opportunity to read the article, analyze it, and do some research ESPECIALLY if the article is about standard networking protocols and you do not know what a protocol stack is. The fun part is supposed to be learning about stuff, not spewing mindless drivel, only to have other people keep repost it. And please, read the other posts. I swear the state of slashdot of late is starting to making me lose faith in nerds.

IE doesn't seem fast to me.

[MikeFM]

I always get annoyed at how slow IE feels when I have to use it. Mozilla seems to load pages (in both XP and Linux) quite a bit faster than IE does. I haven't taken speed metrics or anything.. it just feels faster. I do use a proxy server so possibly Mozilla deals with the proxy server better than IE does.

The proxy seriously speeds up web traffic to my LAN though and reduces bandwidth usage. I use Squid on my remote server and a proxy of my own design on my LAN (that talks to Squid on the remote) and half a dozen users on the LAN can comfortably web browse over a dial-up. Bandwidth usage with multiple people browsing is usually still low enough to use ssh to a remote server comfortably.

Actually, it is ingenious...

[rsilvergun]

...because if you're IIS server is maxing out on connections, chances are you'll have to add another one; and another IIS licensce at several hundred a pop :).

client Re:security

[leuk_he]

This at least requires a client to have raw socket access in my opinion. If it is supposed to setup a connection without the normal syn startup (as i read the article) it needs some direct raw ip access. This allows a lot of spoofing from windows boxed that are "rooted:"

Want to know more about raw socket access, ask gibson about that.

Oh no it doesn't

[mkv]

This has nothing to do with antitrust cases or any other legal action whatsoever. It is simply a case of Microsoft trying their best to improve their customers' web surfing a little bit provided that the server admin runs IIS. Sure they are bending the rules a bit but hey, they are in a position which allows them to do it and IE users are the majority anyway. What I think should be done is to add a similar behavior pattern to Apache and whatever other web servers you might be using. If some RFC disallows this, then another RFC should be written to allow it.

Same here

[Slur]

...Banged my head on the wall until I found the solution you mention was suggested on the Apache site. They claim it's only a problem in a beta of MSIE but I've seen it in all recent versions up to 6.

And here's the page!

Re:so what?

[FooBarWidget]

It [b]does[/b] hurt. IE becomes slower when trying to access webpages from non-IIS servers!

There is something wrong with your eyes

[FooBarWidget]

I don't know where you get those "95% of which are blabla" from, but I see 800+ comments:
- 70% "the article is fake!" or "I tested it but IE use standard TCP requests. fuck you anti-Microsoft Linux zealots!"
- 10% "MS sucks"
- 10% junk/flamebait/trolls/crapfloods

Sorry, but your claims are completely false. Slashdot is everything but anti-MS. Why do you think your post is modded as +5 Insightful?
That Slashdot is an anti-MS site is simply false. People have been saying how Slashdot is anti-MS for centuries but every time I browse through the comments, there are always lots and lots of pro-MS comments, a lot of them are even modded +3/+4/+5.

Re:There is something wrong with your eyes

[FooBarWidget]

The article posters may be anti-Microsoft, but that doesn't matter: the majority (the Slashdot community) isn't. (In fact, most of them use Windows, not Linux.) The few anti-MS people behind Slashdot simply can't compete to the milions of pro-MS Slashdotters.

POINT WHICH NOBODY HAS RAISED YET I THINK

[Old+Wolf]

If the story is correct, then an IE client behind a NAT firewall will always be slow, because the first packet will get lost (NAT uses the SYNs to establish NAT connections).

Can someone test this experimentally? (I'm not in a position to..)

Re:MSIE is to blame!

[Ponty]

Ho ho! The starry-eyed optimism of youth.

24% of respondents secretly love Windows XP in the first poll. And in the second poll, 33% of Slashdot users' main computers run Linux, while (drumroll please) 47% use a form of Windows. I don't think the babies of the world have to worry about their candy just yet.

http://slashdot.org/pollBooth.pl?qid=898&aid=- 1
http://slashdot.org/pollBooth.pl?qid=848&aid=- 1

Use this knowladge

[Felinoid]

Now make Apatchi handle IE connections accordingly and operate normally otherwise thus granting a universal improvement vs the IE only improvement.
Also add this to mosaic or ISS connections only.
If this works so well why not draft a http2? Then as Microsoft fails to implement it the rest of us can have this support.

Obligitory MS slam via reality check:
I can see if other web browsers pulled this stunt web masters would just block them to avoid a DOS type glut of expired connections.

Re:THIS HAS GOT TO STOP!!

[Felinoid]

Nobody will sue for free advertising and no cort would support a business who sued for getting to much traffic.
But mirroring a site is a copyright volation and most judges will see it that way.

Re:Who cares?

[Mithy]

Don't you mean .95 * .3 == .285??

It's even less than that, if you consider the number of ISPs that use transparent Web proxies. (Which, incidentally, is also why I have no way of verifying or debunking this article, since I don't happen to know the location of an IIS server that isn't running on port 80.)

Actually...

[artdodge]

Picking nits...

You are right that HTTP persistent connections are an application-layer construct. However, HTTP/1.1 uses no headers to signal use of persistent connections; if the request is "HTTP/1.1" then the default is to treat the connection as persistent. Connection: close signals deviation from that default behavior.

The "Keep-Alive" header was a hack to wedge persistent connections into HTTP/1.0; its use by HTTP/1.1 clients is frowned upon (see RFC2068 section 19.7.1 MUST NOT, and RFC2616 section 19.6.2 which references the above).

Not a big problem

[remande]

If I'm reading things correctly, I see three neat things about this protocol extension, which I will call, for the sake of argument, BILL.

1: Both the client (IE) and the server (IIS) can fall back to standard HTTP if the other side isn't BILL compliant.

2: The change is trivial in that it isn't very secret. Therefore, developers can make their own BILL-compliant servers and clients (or simply strap BILL onto their current open-source servers and clients).

3: BILL/HTTP impedance mismatches aren't causing a huge screw-up, especially if the the server sends a complaint packet about the first request packet.

Given the above, the HTTP developers can respond to "Embrace, Extend, and Extinguish" with a simple Embrace. If I read it correctly, the Web would be faster as a whole that way.

While I'm annoyed that MS didn't publish this (or did they?) I'm actually glad they did this.

My IE slowdown was considerably diffrent!!!!

[bored]

A month or so ago I noticed that my dual 550 linux box could surf faster than my 1.5Ghz AMD W2k box. Instead of being a linux zelot and claiming that linux was _WAY_ faster I looked into why IE was being so slow.

The reason turned out to be a 200+ meg IE disk cache that was full of 1k files. Everytime I went to load a new page it checked for cached items. Even with the directory structure cached, a page with 50+ images apparently was linearly scanning the directory structure 50+ times looking for a matching filename. Deleting the IE cache data, and lowering the cache size to something like 5 megs, was like someone unhooked a 2 ton trailer from my little sports car. It was truely amazing.

BTW: I also know how to add new zones to IE, so if anyone is interrested just ask I will provide the URL or details.

Re:Still need the connection setup?

[Todd+Knarr]

It looks like the server is sending an HTTP 1.0 version in the response, though, which makes the relevant RFC 1945, not 2616. IE should be checking the HTTP response version to determine whether it's in fact HTTP 1.1, or it should be checking the readability of the socket before writing (to detect an HTTP 1.0 server closing the connection after the response).

Re:Have a little think first

[chunkwhite86]

It's not at all a matter of courtesy and common sense. It's a technical matter. There's quite a difference.

To reiterate my point - if said hobbist puts up a web page for just his buddies, he should have tweaked his web server to allow no more than, say, four concurrent connections. Even four is probably overkill. Will it still be inaccessible when thousands of /.ers all try to hit it at once? Yes. But it will not crash Joe Hobbyist's server, and it won't rack up a high bandwidth bill for him either.

If a dance club doesn't want more than a 100 people in their club at a time, what do they do? They have the bouncer count heads and once capacity reaches 100, only admit one person for every person that exits. It's quite simple really. Does the club manager care if 50,000 people want to get into his club? No! Because he know's there is the 100 person limit in effect. If the club manager doesn't limit the capacity, it's his own damn fault when 600 people pack themselves into a club that only has room for 100 and a riot ensues.

The same goes for a web server. If you don't want to pay for 3 terabytes of bandwidth - set your server settings accordingly.

Thanks for YOUR troll though.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:slashdotted

[akmed]

Thanks for mod'ing me down, coward. My post was no more offtopic than the original post. This however is offtopic. Not that I care much. Are you one of the inconsiderate editors or just a gutless coward? Who knows, who cares. Good luck in life, chicken. I'll enjoy looking down at you from the top.

p.s. if you're going to be arrogant, be intelligent enough to do it well and don't be vengeful when someone smarter comes along and makes you look stupid. Replying to someone in kind is the civilized way. Replying to someone by falsely attacking their reputation is barbaric. Enjoy your hut.

Re:so what?

[FooBarWidget]

"so? they can do whatever they want with their own program."

Oh c'mon, that non-argument is so old already.

Yes, you can do whatever you want with your own stuff, under normal conditions. I'll give you 2 examples:

Let's say you make your own knife. You can do whatever you want... except killing people or doing other things that the law prohibits!

Let's say there's a certain person you don't like. You don't let him enter your own house. Nothing wrong with that.
But what if you own all the supermarkets in the country (--> see the relation with Microsoft's monopoly), except that 1 little supermarket 600 miles away, and you prohibits every supermarket from selling stuff to that person? Even though you own those supermarkets, that wouldn't be fair, would it?

Microsoft is a monopoly and have a huge market share, you cannot deny that. Therebefore, they are directly responsible for the slowness of 95% of the desktop users. Furthermore, average users are not even aware that alternative browsers exists, and some sites REQUIRE you to use IE.

With great power comes great responsibility. This isn't just a matter of "they can do whatever they want with their own program".

Re: HTTP over UDP? Just say no...

[iabervon]

Right, it would only work for one packet each way, which would be fine for images, HEAD requests, and so forth. A lot of what HTTP does doesn't rely of streams. If you need to know whether your packet arrived (e.g., a POST), you must use TCP. If a response doesn't arrive, you should use TCP (UDP might not be supported by the server, or the network is dropping packets).

So HTTP/UDP would be useful for cases where order doesn't matter, duplicates don't matter, and retransmission is simple (I still don't have anything for this URL, better ask again, maybe trying TCP).

Leave the heavy lifting to TCP, but if there's anything that's not heavy lifting, it's most of HTTP.

Re:so what?

[FooBarWidget]

"with where microsoft makes their browsers go faster"

And slower with non-IIS servers.

"they're getting MOST content faster than they would with crapzilla"

So you're saying most webservers run IIS, not Apache? Funny, last month Apache had a market share of 60%.
If you don't believe me, check out NetCraft: --> IE users actually get MOST content slower because MOST servers are running Apache. Apache has twice as much market share as IIS. Not to mention all the other small non-IIS web servers.

"If people can't stand that 1/10 of a second difference, then they would try to get a new browser."

If they know there is such a thing called "browser". For average users, that 'E' icon is the Internet itself. And the percentage of people who know that alternative browsers even exist are becoming smaller and smaller.

Re:so what?

[FooBarWidget]

"Just because most servers are apache doesn't mean most content comes from them, buddy."

Then give me some proof that most content comes from IIS servers. I've backed up my claims, now it's time to backup yours.

"That's like telling me that the newbie car mechanic doesn't know what a wrench is."

Wrong comparison. Newbie car mechanic == newbie programmer. Newbie car driver == newbie computer user.