[hybi] thewebsocketprotocol #25 (new): A WebSocket handshake strawman
"hybi issue tracker" <trac@tools.ietf.org> Thu, 07 October 2010 21:56 UTC
Return-Path: <trac@tools.ietf.org>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3AF083A6FBB for <hybi@core3.amsl.com>; Thu, 7 Oct 2010 14:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.572
X-Spam-Level:
X-Spam-Status: No, score=-102.572 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kfWpFpRV62c0 for <hybi@core3.amsl.com>; Thu, 7 Oct 2010 14:56:00 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:1112:1::2a]) by core3.amsl.com (Postfix) with ESMTP id 4840C3A6F57 for <hybi@ietf.org>; Thu, 7 Oct 2010 14:56:00 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.72) (envelope-from <trac@tools.ietf.org>) id 1P3ySU-0006VW-0r; Thu, 07 Oct 2010 14:57:02 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: hybi issue tracker <trac@tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: sm+ietf@elandsys.com
X-Trac-Project: hybi
Date: Thu, 07 Oct 2010 21:57:01 -0000
X-URL: http://tools.ietf.org/hybi/
X-Trac-Ticket-URL: http://zinfandel.levkowetz.com/wg/hybi/trac/ticket/25
Message-ID: <059.90514deccb7cdb7da502d526650befea@tools.ietf.org>
X-Trac-Ticket-ID: 25
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: sm+ietf@elandsys.com, hybi@ietf.org
X-SA-Exim-Mail-From: trac@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: hybi@ietf.org
Subject: [hybi] thewebsocketprotocol #25 (new): A WebSocket handshake strawman
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2010 21:56:01 -0000
#25: A WebSocket handshake strawman ----------------------------------+----------------------------------------- Reporter: sm+ietf@… | Owner: Type: defect | Status: new Priority: major | Milestone: Component: thewebsocketprotocol | Version: Severity: Active WG Document | Keywords: ----------------------------------+----------------------------------------- Message posted by Adam Barth on 5 Oct, 2010: This document describes a handshake for the WebSocket protocol that resists cross-protocol attacks. The handshake sends a fixed sequence of bytes and a random nonce from the client to the server to establish two keys for a bidirectional encrypted tunnel, which the parties then use for further communication. Although an eavesdropper can determine the encryption keys, computing the keys requires knowledge of a globally unique identifier, making it unlikely that an observer unfamiliar with the the WebSocket protocol will interpret the encrypted bytes on the wire as anything other than random bytes. Before explaining the handshake, we present a model of the threats posed by exposing a new network protocol to untrusted content running in a web browser. We then work through some simple handshake designs to build intuition for what can go wrong in a flawed design. http://www.ietf.org/mail-archive/web/hybi/current/msg04285.html -- Ticket URL: <http://zinfandel.levkowetz.com/wg/hybi/trac/ticket/25> hybi <http://tools.ietf.org/hybi/> The Hypertext-Bidirectional (HyBi) working group will seek standardization of one approach to maintain bidirectional communications between the HTTP client, server and intermediate entities, which will provide more efficiency compared to the current use of hanging requests.
- [hybi] thewebsocketprotocol #25 (new): A WebSocke… hybi issue tracker
- Re: [hybi] #25: A WebSocket handshake strawman hybi issue tracker