IETF Logo Mail Archive

Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocketprotocol-01.txt

Hector Santos <hsantos@isdg.net> Thu, 02 September 2010 06:07 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 74D9A3A6A4F for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 23:07:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.238
X-Spam-Level:
X-Spam-Status: No, score=-4.238 tagged_above=-999 required=5 tests=[AWL=-1.639, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQ0An7XfLtvo for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 23:07:23 -0700 (PDT)
Received: from mail.winserver.com (listserv.winserver.com [208.247.131.9]) by core3.amsl.com (Postfix) with ESMTP id 2301D3A68D0 for <hybi@ietf.org>; Wed, 1 Sep 2010 23:07:22 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Thu, 02 Sep 2010 02:08:07 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 3025714812; Thu, 02 Sep 2010 02:08:05 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Thu, 02 Sep 2010 02:06:01 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3613806329; Thu, 02 Sep 2010 02:06:00 -0400
Message-ID: <4C7F3F21.3000200@isdg.net>
Date: Thu, 02 Sep 2010 02:07:29 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
References: <20100901224502.0519B3A687C@core3.amsl.com> <AANLkTikP1CF22fL0rBniXmrxEoBAbTNfzP9kyiNA4nbb@mail.gmail.com> <AANLkTi=_1m36ThFZTH_aGE_Unz0KTeexJq_74UGr2j+u@mail.gmail.com> <B68E5323-E259-4D27-BB32-ED86961209FC@gbiv.com> <20100902051929.GD10275@1wt.eu>
In-Reply-To: <20100902051929.GD10275@1wt.eu>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Comment: Missing recipient address appended by wcSMTP router.
To: hybi@ietf.org
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Hybi HTTP <hybi@ietf.org>
Subject: Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocketprotocol-01.txt
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 06:07:25 -0000

Willy Tarreau wrote:

> I would add that protocol naming and versioning is also an efficient
> way to protect against cross-protocol attacks, which is regularly
> brought to the table here... If SMTP required a version on its first
> line instead of ignoring all unparsable lines, we would not be looking
> for ways to prevent a web client from sending emails over SMTP through
> POST requests.

Speaking with my SMTP developer hat on, I don't follow Willy how this 
is a problem.

Many MTA already trap and count unknown commands. If the first command 
is POST, you can reject the client immediately or prevent it from 
going into the next state until it issues QUIT or drop the line for 
excessive out of state commands.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email