[hybi] thewebsocketprotocol #25 (new): A WebSocket handshake strawman

["hybi issue tracker" <trac@tools.ietf.org>]

#25: A WebSocket handshake strawman
----------------------------------+-----------------------------------------
 Reporter:  sm+ietf@…             |       Owner:     
     Type:  defect                |      Status:  new
 Priority:  major                 |   Milestone:     
Component:  thewebsocketprotocol  |     Version:     
 Severity:  Active WG Document    |    Keywords:     
----------------------------------+-----------------------------------------
 Message posted by Adam Barth on 5 Oct, 2010:

 This document describes a handshake for the WebSocket protocol that
 resists cross-protocol attacks.  The handshake sends a fixed sequence of
 bytes and a random nonce from the client to the server to establish two
 keys for a bidirectional encrypted tunnel, which the parties then use for
 further communication.  Although an eavesdropper can determine the
 encryption keys, computing the keys requires knowledge of a globally
 unique identifier, making it unlikely that an observer unfamiliar with the
 the WebSocket protocol will interpret the encrypted bytes on the wire as
 anything other than random bytes.  Before explaining the handshake, we
 present a model of the threats posed by exposing a new network protocol to
 untrusted content running in a web browser.  We then work through some
 simple handshake designs to build intuition for what can go wrong in a
 flawed design.

 http://www.ietf.org/mail-archive/web/hybi/current/msg04285.html

-- 
Ticket URL: <http://zinfandel.levkowetz.com/wg/hybi/trac/ticket/25>
hybi <http://tools.ietf.org/hybi/>
The Hypertext-Bidirectional (HyBi) working group will seek
standardization of one approach to maintain bidirectional
communications between the HTTP client, server and intermediate
entities, which will provide more efficiency compared to the current
use of hanging requests.