IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Greg Wilkins <gregw@webtide.com> Mon, 27 September 2010 02:25 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C31983A6C21 for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 19:25:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.762
X-Spam-Level:
X-Spam-Status: No, score=-1.762 tagged_above=-999 required=5 tests=[AWL=0.215, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQZAOImN66c4 for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 19:25:32 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id E0C5C3A6A64 for <hybi@ietf.org>; Sun, 26 Sep 2010 19:25:31 -0700 (PDT)
Received: by iwn3 with SMTP id 3so5061409iwn.31 for <hybi@ietf.org>; Sun, 26 Sep 2010 19:26:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.147.202 with SMTP id m10mr8477689ibv.2.1285554369320; Sun, 26 Sep 2010 19:26:09 -0700 (PDT)
Received: by 10.231.178.88 with HTTP; Sun, 26 Sep 2010 19:26:09 -0700 (PDT)
In-Reply-To: <AANLkTikfYOCOm_+g3=QCTFOCo=rYsj8WpX8AS65qgkPm@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <AANLkTikfYOCOm_+g3=QCTFOCo=rYsj8WpX8AS65qgkPm@mail.gmail.com>
Date: Sun, 26 Sep 2010 19:26:09 -0700
Message-ID: <AANLkTi=SUUbSbF0Cn7d6WpfyLzetEjm3ohriC3=PQL11@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 02:25:32 -0000

On 26 September 2010 18:35, Adam Barth <ietf@adambarth.com> wrote:
>> But I think that the usage of Sec- headers and a simple nonce
>> will give very good protection and that we only need do more if there
>> is a real clearly identified risk.
>
> With all due respect, I'm not convinced you have a strong enough
> handle on the required security properties to make such a bold claim.

Adam,

with all due respect we need a more mature approach than - "tharr be
monster tharrrr!"

If you are unable to clearly define the problems that the current
handshake is trying to solve, then please find somebody with standing
to contradict my statement.

I have yet to see any description of any threat that is not addressed
by the Sec-headers and a nonce, nor do I see these as a whack a mole
approach.
Together these represent a type of header that a HTTP javascript
client is unable to generate and knowledge that a javascript code is
unable to know.

What additional specific or generic attack vector is the space
insertion, character stripping and unframed binary data protecting
from.

regards

v2.23.0 | Report a Bug | By Email