Re: [hybi] [Technical Errata Reported] RFC6455 (3215)
Jesse Katzman <jesse.katzman@gmail.com> Tue, 08 May 2012 05:00 UTC
Return-Path: <jesse.katzman@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CB0421F84BF for <hybi@ietfa.amsl.com>; Mon, 7 May 2012 22:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.383
X-Spam-Level:
X-Spam-Status: No, score=-3.383 tagged_above=-999 required=5 tests=[AWL=0.215, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WjOJFLUxrfHz for <hybi@ietfa.amsl.com>; Mon, 7 May 2012 22:00:36 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id B76B021F84A6 for <hybi@ietf.org>; Mon, 7 May 2012 22:00:34 -0700 (PDT)
Received: by yhq56 with SMTP id 56so5957033yhq.31 for <hybi@ietf.org>; Mon, 07 May 2012 22:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mmoiomyiL3XD0lDV9Zic4dtJm2XYR9TvTH6oP25MpZI=; b=IzWPpj8qejV2S6oVgTJu4qv+wx4GTw44ABhHDepim5MrnjWksXRdB4UbiwhoNTxfgz b5FoEzEikQvBGRbSRy+nr2kZ1cKEni4MtSAAVm/dGt2z0f+sXqPqaNAnEkCIT06hSiAO iaAOSHUlhKcBzYrkkmQ8zI1Of93go2oQzvoy24Qqj2FfcypAdR+tzRddYb3DAzzgyhCU t46MBvl8FsL8HeFXmBc6CHGHxCQ7RQFw6gkpr+MNIx5zsid2BuQ/Vg/ZAcHx//2rd2eh SFrLjadrRyQqmll67xU8O0A+FvL7H5s6a4SzKVD31FU/pd04XviazdKKp0G037fCN0PM UGMw==
MIME-Version: 1.0
Received: by 10.50.158.134 with SMTP id wu6mr9974669igb.47.1336453227731; Mon, 07 May 2012 22:00:27 -0700 (PDT)
Received: by 10.231.170.197 with HTTP; Mon, 7 May 2012 22:00:27 -0700 (PDT)
Received: by 10.231.170.197 with HTTP; Mon, 7 May 2012 22:00:27 -0700 (PDT)
In-Reply-To: <CABLsOLC-UrivyU-U-od+k3EKZugv-5ZSxj+TUYjgVYsYjtmeLg@mail.gmail.com>
References: <20120507003008.A70F2B1E002@rfc-editor.org> <CABLsOLC-UrivyU-U-od+k3EKZugv-5ZSxj+TUYjgVYsYjtmeLg@mail.gmail.com>
Date: Tue, 08 May 2012 01:00:27 -0400
Message-ID: <CAEBq9Tgx-ETsNdWLECsMARvWj8vDwh1dKp=dcmMNdMYquJUGxw@mail.gmail.com>
From: Jesse Katzman <jesse.katzman@gmail.com>
To: John Tamplin <jat@google.com>
Content-Type: multipart/alternative; boundary="14dae9340387e5da4604bf7f4342"
X-Mailman-Approved-At: Mon, 07 May 2012 22:02:02 -0700
Cc: hybi@ietf.org
Subject: Re: [hybi] [Technical Errata Reported] RFC6455 (3215)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2012 05:00:38 -0000
Hi John, Thank you for the explanation. I didn't realize it meant an in-browser application. I understand now. Thanks again, Jesse On May 6, 2012 11:01 PM, "John Tamplin" <jat@google.com> wrote: > On Sun, May 6, 2012 at 8:30 PM, RFC Errata System < > rfc-editor@rfc-editor.org> wrote: > >> Type: Technical >> Reported by: Jesse Katzman <jesse.katzman@gmail.com> >> >> Section: 5.3 >> >> Original Text >> ------------- >> The unpredictability of the masking key is essential to prevent authors >> of malicious applications from selecting the bytes that appear on the wire. >> >> Corrected Text >> -------------- >> >> >> Notes >> ----- >> I don't see how the client-to-server masking prevents "authors of >> malicious applications from selecting the bytes that appear on the wire". >> >> Maliciously changing the contents of a message simply requires a few more >> steps than it would without masking, as far as I can tell. >> > > Masking the client->server frames was heavily debated on this list for > months -- I encourage you read the archives rather than rehashing the > debate. > > Basically, WebSockets is unique in that you need to protect the network > infrastructure, even if you have hostile code running in the client, full > hostile control of the server, and the only piece you can trust is the > client browser. By having the browser generate a random mask for each > frame, the hostile client code cannot choose the byte patterns that appear > on the wire and use that to attack vulnerable network infrastructure. > > -- > John A. Tamplin > Software Engineer (GWT), Google >
- [hybi] [Technical Errata Reported] RFC6455 (3215) RFC Errata System
- Re: [hybi] [Technical Errata Reported] RFC6455 (3… Peter Saint-Andre
- Re: [hybi] [Technical Errata Reported] RFC6455 (3… Barry Leiba
- Re: [hybi] [Technical Errata Reported] RFC6455 (3… Jesse Katzman
- Re: [hybi] [Technical Errata Reported] RFC6455 (3… John Tamplin
- Re: [hybi] [Technical Errata Reported] RFC6455 (3… Jesse Katzman