IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Adam Barth <ietf@adambarth.com> Wed, 01 September 2010 23:45 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C99FC3A6A10 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 16:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.077
X-Spam-Level:
X-Spam-Status: No, score=-2.077 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUL0H8fg1q8i for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 16:45:24 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id BCCD23A6A2C for <hybi@ietf.org>; Wed, 1 Sep 2010 16:45:23 -0700 (PDT)
Received: by qyk9 with SMTP id 9so8322264qyk.10 for <hybi@ietf.org>; Wed, 01 Sep 2010 16:45:53 -0700 (PDT)
Received: by 10.224.11.6 with SMTP id r6mr5764761qar.137.1283384753592; Wed, 01 Sep 2010 16:45:53 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id u1sm3777325vcf.46.2010.09.01.16.45.52 (version=SSLv3 cipher=RC4-MD5); Wed, 01 Sep 2010 16:45:52 -0700 (PDT)
Received: by iwn3 with SMTP id 3so7920972iwn.31 for <hybi@ietf.org>; Wed, 01 Sep 2010 16:45:51 -0700 (PDT)
Received: by 10.231.146.136 with SMTP id h8mr9646148ibv.0.1283384751251; Wed, 01 Sep 2010 16:45:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.187.218 with HTTP; Wed, 1 Sep 2010 16:44:50 -0700 (PDT)
In-Reply-To: <C8A440CA.34665%joe.hildebrand@webex.com>
References: <AANLkTin4qBCJUjkgncV6okBPAJvTRfu+_uRUcnTsXArp@mail.gmail.com> <C8A440CA.34665%joe.hildebrand@webex.com>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 01 Sep 2010 16:44:50 -0700
Message-ID: <AANLkTin5+wC0hfrDyfHzr8q92kxqbDEGr=J2ceAsgjNj@mail.gmail.com>
To: Joe Hildebrand <joe.hildebrand@webex.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 23:45:24 -0000

On Wed, Sep 1, 2010 at 4:41 PM, Joe Hildebrand <joe.hildebrand@webex.com> wrote:
> On 9/1/10 5:30 PM, "Greg Wilkins" <gregw@webtide.com> wrote:
>> Sec-WebSocket-Key1: the ietf process failed 12345678
>
> It's too early to declare that, I hope.
>
> Let's start by understanding the requirement.  Gabriel, it looks like we
> don't have anything that addresses the rationale behind this handshaking
> approach in the requirements draft -- do you concur?
>
> Assuming that my quick skim of draft-ietf-hybi-websocket-requirements-01
> didn't miss anything, can someone propose language for the requirements
> draft that adequately captures what we're trying to protect against?

I believe this text in the requirements draft is sufficient:

[[
   REQ. 19:  WebSocket should be designed to be robust against cross-
      protocol attacks.  The protocol design should consider and
      mitigate the risk presented by WebSocket clients to existing
      servers (including HTTP servers).  It should also consider and
      mitigate the risk to WebSocket servers presented by clients for
      other protocols (including HTTP).

   Reason: As the Web Socket protocol is expected to be mainly used in
   browsers, a careful design is necessary to mitigate the chances for
   hostile JavaScript to use WebSocket for a cross-protocol attack
   against vanilla HTTP resources or non-HTTP servers.  More the design
   should prevent the possibility for cross-site XMLHttpRequest (using
   CORS or XDomainRequest) to be used for a cross-protocol attack
   against WebSocket resources, potentially violating integrity (though
   not confidentiality).
]]

Adam

v2.23.0 | Report a Bug | By Email