Re: [hybi] WebSockets : Question about masqued frames !

Iñaki Baz Castillo <ibc@aliax.net> Sat, 11 June 2011 06:26 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64D7B11E8076 for <hybi@ietfa.amsl.com>; Fri, 10 Jun 2011 23:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.655
X-Spam-Level:
X-Spam-Status: No, score=-2.655 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1xdhiMPHUuP for <hybi@ietfa.amsl.com>; Fri, 10 Jun 2011 23:26:54 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id E053A11E8071 for <hybi@ietf.org>; Fri, 10 Jun 2011 23:26:53 -0700 (PDT)
Received: by qyk29 with SMTP id 29so199908qyk.10 for <hybi@ietf.org>; Fri, 10 Jun 2011 23:26:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.17.17 with SMTP id q17mr2248523qca.154.1307773613376; Fri, 10 Jun 2011 23:26:53 -0700 (PDT)
Received: by 10.229.189.209 with HTTP; Fri, 10 Jun 2011 23:26:53 -0700 (PDT)
In-Reply-To: <20110611061514.GA2252@1wt.eu>
References: <002101cc26b7$c8901c20$59b05460$@fr> <4DF0F6C5.5050807@weelya.com> <BANLkTimfxbcwPmYMcqW=8d22Z8sEpTn6rg@mail.gmail.com> <20110611061514.GA2252@1wt.eu>
Date: Sat, 11 Jun 2011 08:26:53 +0200
Message-ID: <BANLkTi=uOTokzuU4iuqYtbpcAtywVaJiQQ@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
To: Willy Tarreau <w@1wt.eu>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] WebSockets : Question about masqued frames !
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jun 2011 06:26:54 -0000

2011/6/11 Willy Tarreau <w@1wt.eu>eu>:
>> The author of the thread is not suggesting removing the client->server
>> masking, but just make it predictable (for example from the WS
>> handshake data) rather than having each frame its own masking key.
>> Would be any (security) issue in the suggested case? I don't think so,
>> but just wondering.
>
> This was discussed in great detail in the past (as everything around masking).
> The issue if the mask doesn't change is that the server knows it, so if it is
> running malicious code (and so does the client), then it can tell the mask to
> the client which will be able to emit predicted contents over the wire. So the
> mask must change between two exchanges so that the client cannot guess it.

Clear now. Thanks.



-- 
Iñaki Baz Castillo
<ibc@aliax.net>