IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Bjoern Hoehrmann <derhoermi@gmx.net> Fri, 01 October 2010 02:15 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BFBD03A69DD for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 19:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.753
X-Spam-Level:
X-Spam-Status: No, score=-1.753 tagged_above=-999 required=5 tests=[AWL=-1.013, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlWCxGt8-Rul for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 19:15:33 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id 738F23A6BDF for <hybi@ietf.org>; Thu, 30 Sep 2010 19:15:30 -0700 (PDT)
Received: (qmail invoked by alias); 01 Oct 2010 02:16:16 -0000
Received: from dslb-094-222-150-219.pools.arcor-ip.net (EHLO hive) [94.222.150.219] by mail.gmx.net (mp036) with SMTP; 01 Oct 2010 04:16:16 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX1/PwIY9D8vPoIbHyhsL8C082Lvzt+L9LO+Vg2+va5 wuxJ623O5zLYPy
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Scott Ferguson <ferg@caucho.com>
Date: Fri, 01 Oct 2010 04:16:14 +0200
Message-ID: <25gaa6571smr8ad1fisg6c2uv2hjpk58lv@hive.bjoern.hoehrmann.de>
References: <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail. com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com>
In-Reply-To: <4CA53E6B.1040808@caucho.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 02:15:35 -0000

* Scott Ferguson wrote:
>For 2), client validation, there are two independent defenses
>
>2.1) "WEBSOCKET" method. If a hijacker cannot produce the "WEBSOCKET_" 
>bytes because the browsers restrict HTTP methods, the server can verify 
>the client as websocket with the first bytes, with the side effect of 
>offering a limited defense for some non-websocket servers against URL 
>and header cross-protocol attacks.

It may be worth considering to use TRACE instead which is more likely to
be blocked than a new method, and TRACE requests must not contain entity
bodies. A downside would be that blocking TRACE becomes a bit harder for
servers and intermediaries.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email