Re: [hybi] Why redirects are a bad for the security of WebSockets (was Re: Clarify wheter HTTP responses other than 101 are valid)
Patrick McManus <mcmanus@ducksong.com> Tue, 29 March 2011 07:00 UTC
Return-Path: <mcmanus@ducksong.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DC2D3A6917 for <hybi@core3.amsl.com>; Tue, 29 Mar 2011 00:00:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ma72Oa8KMBLt for <hybi@core3.amsl.com>; Tue, 29 Mar 2011 00:00:04 -0700 (PDT)
Received: from linode.ducksong.com (linode.ducksong.com [64.22.125.164]) by core3.amsl.com (Postfix) with ESMTP id 6C2653A676A for <hybi@ietf.org>; Tue, 29 Mar 2011 00:00:04 -0700 (PDT)
Received: from dhcp-15b6.meeting.ietf.org (dhcp-15b6.meeting.ietf.org [130.129.21.182]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by linode.ducksong.com (Postfix) with ESMTPSA id 6B7AC10159; Tue, 29 Mar 2011 03:01:41 -0400 (EDT)
Message-ID: <4D9183D3.8030201@ducksong.com>
Date: Tue, 29 Mar 2011 09:01:39 +0200
From: Patrick McManus <mcmanus@ducksong.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <BANLkTi=0a84PA+2hN9U7S9uvNWgmestE2g@mail.gmail.com> <4D910DF0.4070204@ducksong.com> <BANLkTi=YMEc6_5jT7H8iik-mKimMoRgeUg@mail.gmail.com>
In-Reply-To: <BANLkTi=YMEc6_5jT7H8iik-mKimMoRgeUg@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi@ietf.org
Subject: Re: [hybi] Why redirects are a bad for the security of WebSockets (was Re: Clarify wheter HTTP responses other than 101 are valid)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 07:00:05 -0000
> I also don't buy your argument about simplifying the model by > increasing complexity. Adding complexity does not improve security. > Neither of us is arguing for increased complexity - we just have different views on what creates complexity. My argument is that adding restrictions and caveats is what adds the complexity. Vanilla HTTP is well understood and reusing that (Redirects, 401's, and all) as it is normally understood reduces the complexity of the definition.
- [hybi] Why redirects are a bad for the security o… Adam Barth
- Re: [hybi] Why redirects are a bad for the securi… Greg Wilkins
- Re: [hybi] Why redirects are a bad for the securi… Patrick McManus
- Re: [hybi] Why redirects are a bad for the securi… Adam Barth
- Re: [hybi] Why redirects are a bad for the securi… Iñaki Baz Castillo
- Re: [hybi] Why redirects are a bad for the securi… Adam Barth
- Re: [hybi] Why redirects are a bad for the securi… Patrick McManus
- Re: [hybi] Why redirects are a bad for the securi… Julian Reschke