Re: [hybi] WebSocket handshake (HTTP and SSO)
Hector Santos <hsantos@isdg.net> Tue, 31 August 2010 03:18 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E7B53A68E8 for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 20:18:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.527
X-Spam-Level:
X-Spam-Status: No, score=-3.527 tagged_above=-999 required=5 tests=[AWL=-2.392, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_14=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ef2HiBPlR-VZ for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 20:18:08 -0700 (PDT)
Received: from mail.winserver.com (ftp.catinthebox.net [208.247.131.9]) by core3.amsl.com (Postfix) with ESMTP id 9E8813A68E4 for <hybi@ietf.org>; Mon, 30 Aug 2010 20:18:03 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Mon, 30 Aug 2010 23:18:44 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 2842752453; Mon, 30 Aug 2010 23:18:43 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Mon, 30 Aug 2010 23:16:42 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3430848032; Mon, 30 Aug 2010 23:16:42 -0400
Message-ID: <4C7C746F.1040006@isdg.net>
Date: Mon, 30 Aug 2010 23:18:07 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Scott Ferguson <ferg@caucho.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net> <4C7C2A33.6010405@caucho.com>
In-Reply-To: <4C7C2A33.6010405@caucho.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2010 03:18:09 -0000
Scott Ferguson wrote: >> When not just use the a HTTP.Authorization header? > > That's not possible with DIGEST with the current handshake. > It is possible with BASIC. If we are on the same wave length, I don't follow the HTTP AUTH protocol difference. > but I'd like to allow/encourage > DIGEST or better for non-browser clients (it would be > invisible to the application developer). > > The DIGEST operation looks something like (numbers are packets): > > 1. client's GET/Upgrade - no authentication information > > 2. s_nonce: server challenge (i.e. client needs to wait for a > round-trip to start.) > > 3. client auth: user, H(s_nonce, H(user, password)) > > In WebSockets, #1 and #2 are HTTP, but #3 is not, it's the > packet with the random bytes, so you can't just use HTTP > header because we're no longer in HTTP mode. Oh, I see. I was thinking in terms of two cases: 1) Browser Already Authenticated In this case, the browser has HTTP.Authorization C1: WebSocket GET/Upgrade include HTTP.Authorization S2: Handles session accordingly 2) Browser Not already Authenticated C1: WebSocket GET/Upgrade with NO HTTP.Authorization S2: Issue 401 with HTTP.WWW-Authenticate: scheme C3: WebSocket Closes Socket, performs login C4: WebSocket GET/Upgrade include HTTP.Authorization S5: Handles session accordingly What I am wondering is about S2, C3 and C4 in general. Also probably related, I see no security benefit in this handshake. The bad guy client can always validate a server handshake response whether it was correct or not. > I'm just proposing that when non-browser clients do want to > use a standard authentication scheme and want save a handshake > round trips, that we allow that capability, which is > currently prevented by the current handshake design. Yes, but unless I missing a critical point here, I don't see the savings is possible or worth in trying to avoid it. If the browser session is already authenticated, then we already have a way to pass that information with the HTTP.Authorization header. if WebSocket passed this with the same protocol mindset it used to pass the cookie header, I think it would work fine. The issue I see is C2 and S3. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com
- [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Eric Rescorla
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Joe Hildebrand
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Gabriel Montenegro
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Willy Tarreau
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins