IETF Logo Mail Archive

Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocketprotocol-01.txt

Hector Santos <hsantos@isdg.net> Thu, 02 September 2010 07:03 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 903743A6A77 for <hybi@core3.amsl.com>; Thu, 2 Sep 2010 00:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.213
X-Spam-Level:
X-Spam-Status: No, score=-4.213 tagged_above=-999 required=5 tests=[AWL=-1.614, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QYbMo3wGRAcd for <hybi@core3.amsl.com>; Thu, 2 Sep 2010 00:03:47 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [208.247.131.9]) by core3.amsl.com (Postfix) with ESMTP id 0990E3A68E1 for <hybi@ietf.org>; Thu, 2 Sep 2010 00:03:46 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Thu, 02 Sep 2010 03:04:32 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 3029100062; Thu, 02 Sep 2010 03:04:31 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Thu, 02 Sep 2010 03:02:24 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3617189547; Thu, 02 Sep 2010 03:02:23 -0400
Message-ID: <4C7F4C59.4010502@isdg.net>
Date: Thu, 02 Sep 2010 03:03:53 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Willy Tarreau <w@1wt.eu>
References: <20100901224502.0519B3A687C@core3.amsl.com> <AANLkTikP1CF22fL0rBniXmrxEoBAbTNfzP9kyiNA4nbb@mail.gmail.com> <AANLkTi=_1m36ThFZTH_aGE_Unz0KTeexJq_74UGr2j+u@mail.gmail.com> <B68E5323-E259-4D27-BB32-ED86961209FC@gbiv.com> <20100902051929.GD10275@1wt.eu> <4C7F3F21.3000200@isdg.net> <20100902061613.GK10275@1wt.eu>
In-Reply-To: <20100902061613.GK10275@1wt.eu>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Hybi HTTP <hybi@ietf.org>
Subject: Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocketprotocol-01.txt
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 07:03:48 -0000

Willy Tarreau wrote:

> Well, this is precisely a consequence of the problem I talked about. POST
> has never been part of the SMTP protocol, and it's because the SMTP
> protocol is prone to such attacks that these checks have been added in
> implementations. Maybe some updates to the protocol have since been emitted
> to suggest this, but I always had the feeling that these protections were
> just good implementers' choices in face of a real threat.

Since this  behavior is no different that a client batching its 
commands with disregard for server responses (not intentional 
pipelining), this has long been mitigated in good MTAs.

The same will be true with websockets - the server always need to be 
control or it will be open to all sorts of issues.

The main thing here is that we are talking about hosting servers and 
whatever protocol is put together, we need to make sure that we don't 
make it hard to resolve the known formulas for threat entry points.

For example, one way to authenticate the WS client is to use IP such 
as it done with POP3-B4-SMTP methods where a POP3 host records an IP 
for another SMTP host to open a time window for SMTP IP-based allow 
relay.

For Websockets, it may work pretty well based on the fact most 
applications will mostly start with a browser client and ws client 
from the same IP. The same idea can be applied here:

    C1: HTTP request (possibly start HTTP or Cookie AUTH login)
    S2: HTTP page is served. IP recorded (optional TTL)
    C3: WS Client begin WS open and handshake
    S4: WS Server authenticates recorded IP, continues with handshake

S2 MAY opens a limited time window (TTL) for the 2nd session to 
appear.   It helps resolve the unsolicited WS client request issue for 
servers that expect WS clients to begin with an HTTP server prepared 
client.

Lets keep in mind something here folks - the mindset has changed to 
even allowing a TCP socket connection to be part of the browser (and 
many of the HTML5 aspect with LOCAL I/O).

Its taken a long time to even view this as "acceptable" but that 
should not be a taken lightly or become a reason to relax with all the 
security concerns.  Its too easy to fall trap in this open generation 
of meshed connections.

If we fail with that, WEBSOCKETS will be turned off which is something 
a QA conscious browser will probably soon need to add to its user 
setup interface in the same way Javacript can be still be turned off. 
  If not done right, expect the NoWebSocket plug-ins to appear.


-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email