Re: [hybi] IESG note?, was: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard

Willy Tarreau <> Tue, 06 September 2011 18:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BBFC721F8D1F for <>; Tue, 6 Sep 2011 11:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.052
X-Spam-Status: No, score=-4.052 tagged_above=-999 required=5 tests=[AWL=-2.009, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LmIpUx+rtjZJ for <>; Tue, 6 Sep 2011 11:32:30 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E1F2D21F8D1B for <>; Tue, 6 Sep 2011 11:32:29 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id p86IY3bt016194; Tue, 6 Sep 2011 20:34:03 +0200
Date: Tue, 6 Sep 2011 20:34:03 +0200
From: Willy Tarreau <>
To: "Richard L. Barnes" <>
Message-ID: <>
References: <> <> <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Cc: hybi <>
Subject: Re: [hybi] IESG note?, was: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Sep 2011 18:32:30 -0000

On Tue, Sep 06, 2011 at 01:10:50PM -0500, Greg Longtin wrote:
> Richard,
> > To put it in a more succinct, more alarmist way: How long will it be
> > before WebSockets become popular for malware distribution?
> For traffic *from* client to server?  Seems odd.
> As to traffic from server to client, that isn't masked, and hence, a
> firewall could parse and scan it...

I would also add that the part that is concerned is *not* within the
HTTP messaging and that firewalls that would currently scan this would
have to carefully consider the Upgrade header's value as well otherwise
they could not emit any hypothesis about what they see there. For instance,
the string "../../bin/sh -c" could be perfectly valid in an RDP session
that runs over HTTP in Upgrade mode but might be dangerous in case of
normal HTTP or even WebSocket. The difference is only known by the
contents of the Upgrade header, otherwise it's random junk.

So the masking here does not remove any ability for firewalls or other
intermediaries to analyze a stream they were already able to analyze.
And the masking was made cheap precisely so that those components will
be adapted to scan the contents at a low cost.