IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Greg Wilkins <gregw@webtide.com> Thu, 02 September 2010 00:03 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6BAE03A68E2 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 17:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.764
X-Spam-Level:
X-Spam-Status: No, score=-1.764 tagged_above=-999 required=5 tests=[AWL=0.213, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5DHsdOquQRib for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 17:03:46 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 3B5E73A67DB for <hybi@ietf.org>; Wed, 1 Sep 2010 17:03:46 -0700 (PDT)
Received: by fxm18 with SMTP id 18so5919778fxm.31 for <hybi@ietf.org>; Wed, 01 Sep 2010 17:04:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.239.132.132 with SMTP id 4mr577791hbr.47.1283385855810; Wed, 01 Sep 2010 17:04:15 -0700 (PDT)
Received: by 10.239.186.139 with HTTP; Wed, 1 Sep 2010 17:04:15 -0700 (PDT)
In-Reply-To: <C8A440CA.34665%joe.hildebrand@webex.com>
References: <AANLkTin4qBCJUjkgncV6okBPAJvTRfu+_uRUcnTsXArp@mail.gmail.com> <C8A440CA.34665%joe.hildebrand@webex.com>
Date: Thu, 02 Sep 2010 10:04:15 +1000
Message-ID: <AANLkTikiRDExYMMssa=Pa4K1pHHM8xmfzXh9dEvuwQhY@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Joe Hildebrand <joe.hildebrand@webex.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 00:03:47 -0000

On 2 September 2010 09:41, Joe Hildebrand <joe.hildebrand@webex.com> wrote:
> On 9/1/10 5:30 PM, "Greg Wilkins" <gregw@webtide.com> wrote:
>
>> Sec-WebSocket-Key1: the ietf process failed 12345678
>
> It's too early to declare that, I hope.
>
> Let's start by understanding the requirement.  Gabriel, it looks like we
> don't have anything that addresses the rationale behind this handshaking
> approach in the requirements draft -- do you concur?

Joe,

as Adam pointed out, I think we do have consensus on the general
requirement - ie that we should protect against cross protocol
attacks.
While I don't think everybody agreed about the possibility of an
injection attack, I think there were very few who did not accept that
a nonce was a good idea.

It is just that when the nonce was added to the draft, it came with a
unilaterally invented non discussed encoding of random characters and
spaces.  It was also used as part of a fast fail attempt that has
further confused the issue.
I agree with John that this is not a huge technical issue, but I think
the strangeness of the encoding causes confusion, clouds the real
issue and is a potential ongoing cause of misunderstandings.

Anyway, I've used up my message quota on this issue, so I'll let it
go.  I think the process failed letting this get into an ietf WG draft
in the first place, but it wont be the end of the world if it stays
in.

cheers

v2.23.0 | Report a Bug | By Email