IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Hector Santos <hsantos@isdg.net> Tue, 31 August 2010 03:18 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7B53A68E8 for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 20:18:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.527
X-Spam-Level:
X-Spam-Status: No, score=-3.527 tagged_above=-999 required=5 tests=[AWL=-2.392, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_14=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ef2HiBPlR-VZ for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 20:18:08 -0700 (PDT)
Received: from mail.winserver.com (ftp.catinthebox.net [208.247.131.9]) by core3.amsl.com (Postfix) with ESMTP id 9E8813A68E4 for <hybi@ietf.org>; Mon, 30 Aug 2010 20:18:03 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Mon, 30 Aug 2010 23:18:44 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 2842752453; Mon, 30 Aug 2010 23:18:43 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Mon, 30 Aug 2010 23:16:42 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3430848032; Mon, 30 Aug 2010 23:16:42 -0400
Message-ID: <4C7C746F.1040006@isdg.net>
Date: Mon, 30 Aug 2010 23:18:07 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Scott Ferguson <ferg@caucho.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net> <4C7C2A33.6010405@caucho.com>
In-Reply-To: <4C7C2A33.6010405@caucho.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2010 03:18:09 -0000

Scott Ferguson wrote:
>> When not just use the a HTTP.Authorization header?
> 
> That's not possible with DIGEST with the current handshake. 
> It is possible with BASIC.

If we are on the same wave length, I don't follow the HTTP AUTH 
protocol difference.

> but I'd like to allow/encourage 
> DIGEST or better for non-browser clients (it would be 
> invisible to the application developer).
> 
> The DIGEST operation looks something like (numbers are packets):
> 
>  1. client's GET/Upgrade - no authentication information
> 
>  2. s_nonce: server challenge (i.e. client needs to wait for a 
> round-trip to start.)
> 
>  3. client auth: user, H(s_nonce, H(user, password))
> 
> In WebSockets, #1 and #2 are HTTP, but #3 is not, it's the 
> packet with the random bytes, so you can't just use HTTP 
> header because we're no longer in HTTP mode.

Oh, I see. I was thinking in terms of two cases:

1) Browser Already Authenticated

In this case, the browser has HTTP.Authorization

    C1:  WebSocket GET/Upgrade include HTTP.Authorization
    S2:  Handles session accordingly

2) Browser Not already Authenticated

    C1:  WebSocket GET/Upgrade with NO HTTP.Authorization
    S2:  Issue 401 with HTTP.WWW-Authenticate: scheme
    C3:  WebSocket Closes Socket, performs login
    C4:  WebSocket GET/Upgrade include HTTP.Authorization
    S5:  Handles session accordingly

What I am wondering is about S2, C3 and C4 in general.

Also probably related, I see no security benefit in this handshake. 
The bad guy client can always validate a server handshake response 
whether it was correct or not.

> I'm just proposing that when non-browser clients do want to 
> use a standard authentication scheme and want save a handshake 
> round trips, that we allow that capability, which is 
> currently prevented by the current handshake design.

Yes, but unless I missing a critical point here, I don't see the 
savings is possible or worth in trying to avoid it.

If the browser session is already authenticated, then we already have 
a way to pass that information with the HTTP.Authorization header.  if 
WebSocket passed this with the same protocol mindset it used to pass 
the cookie header, I think it would work fine.

The issue I see is C2 and S3.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email