Re: [hybi] WebSocket handshake (HTTP and SSO)
Adam Barth <ietf@adambarth.com> Wed, 01 September 2010 23:45 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C99FC3A6A10 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 16:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.077
X-Spam-Level:
X-Spam-Status: No, score=-2.077 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUL0H8fg1q8i for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 16:45:24 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id BCCD23A6A2C for <hybi@ietf.org>; Wed, 1 Sep 2010 16:45:23 -0700 (PDT)
Received: by qyk9 with SMTP id 9so8322264qyk.10 for <hybi@ietf.org>; Wed, 01 Sep 2010 16:45:53 -0700 (PDT)
Received: by 10.224.11.6 with SMTP id r6mr5764761qar.137.1283384753592; Wed, 01 Sep 2010 16:45:53 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id u1sm3777325vcf.46.2010.09.01.16.45.52 (version=SSLv3 cipher=RC4-MD5); Wed, 01 Sep 2010 16:45:52 -0700 (PDT)
Received: by iwn3 with SMTP id 3so7920972iwn.31 for <hybi@ietf.org>; Wed, 01 Sep 2010 16:45:51 -0700 (PDT)
Received: by 10.231.146.136 with SMTP id h8mr9646148ibv.0.1283384751251; Wed, 01 Sep 2010 16:45:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.187.218 with HTTP; Wed, 1 Sep 2010 16:44:50 -0700 (PDT)
In-Reply-To: <C8A440CA.34665%joe.hildebrand@webex.com>
References: <AANLkTin4qBCJUjkgncV6okBPAJvTRfu+_uRUcnTsXArp@mail.gmail.com> <C8A440CA.34665%joe.hildebrand@webex.com>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 01 Sep 2010 16:44:50 -0700
Message-ID: <AANLkTin5+wC0hfrDyfHzr8q92kxqbDEGr=J2ceAsgjNj@mail.gmail.com>
To: Joe Hildebrand <joe.hildebrand@webex.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 23:45:24 -0000
On Wed, Sep 1, 2010 at 4:41 PM, Joe Hildebrand <joe.hildebrand@webex.com> wrote: > On 9/1/10 5:30 PM, "Greg Wilkins" <gregw@webtide.com> wrote: >> Sec-WebSocket-Key1: the ietf process failed 12345678 > > It's too early to declare that, I hope. > > Let's start by understanding the requirement. Gabriel, it looks like we > don't have anything that addresses the rationale behind this handshaking > approach in the requirements draft -- do you concur? > > Assuming that my quick skim of draft-ietf-hybi-websocket-requirements-01 > didn't miss anything, can someone propose language for the requirements > draft that adequately captures what we're trying to protect against? I believe this text in the requirements draft is sufficient: [[ REQ. 19: WebSocket should be designed to be robust against cross- protocol attacks. The protocol design should consider and mitigate the risk presented by WebSocket clients to existing servers (including HTTP servers). It should also consider and mitigate the risk to WebSocket servers presented by clients for other protocols (including HTTP). Reason: As the Web Socket protocol is expected to be mainly used in browsers, a careful design is necessary to mitigate the chances for hostile JavaScript to use WebSocket for a cross-protocol attack against vanilla HTTP resources or non-HTTP servers. More the design should prevent the possibility for cross-site XMLHttpRequest (using CORS or XDomainRequest) to be used for a cross-protocol attack against WebSocket resources, potentially violating integrity (though not confidentiality). ]] Adam
- [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Eric Rescorla
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Joe Hildebrand
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Gabriel Montenegro
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Willy Tarreau
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins