Re: [hybi] WebSocket handshake (HTTP and SSO)
Scott Ferguson <ferg@caucho.com> Tue, 31 August 2010 16:18 UTC
Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79CE53A69C8 for <hybi@core3.amsl.com>; Tue, 31 Aug 2010 09:18:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.219
X-Spam-Level:
X-Spam-Status: No, score=-2.219 tagged_above=-999 required=5 tests=[AWL=-0.220, BAYES_00=-2.599, J_CHICKENPOX_14=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KWMaN0JmHx2 for <hybi@core3.amsl.com>; Tue, 31 Aug 2010 09:18:45 -0700 (PDT)
Received: from smtp114.biz.mail.re2.yahoo.com (smtp114.biz.mail.re2.yahoo.com [66.196.116.99]) by core3.amsl.com (Postfix) with SMTP id 1CAE43A68D9 for <hybi@ietf.org>; Tue, 31 Aug 2010 09:18:44 -0700 (PDT)
Received: (qmail 98207 invoked from network); 31 Aug 2010 16:19:13 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp114.biz.mail.re2.yahoo.com with SMTP; 31 Aug 2010 09:19:12 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: Uro3THwVM1nOWMgPKIn0katKoj4U7t8WGJSsQl1b0cxe0CH VLz9sH4D0hJU_5P6ZFrIfscH_F__.9423aOf1pSt2Tmg2vOuqD28.2_WQDEs 5..sEd8c0v07EVxBLQuJW1oQ2JkvLPadtQQwwpxYJILAT8E.Dgwx5FECTEBq uOJso9Tm8aj.Mie002VDspD1uJPNSWWa5aKsUsXVguQfZEy25fHIGesPI3Ws JB5vkH6PsNFR4xAD_wMAeKDz.HD_GeSfDbra57U.5OuipdRaJ7aYroOq8Mz. ruyFQzpOBv0biaXml3vBDDo02Qfuje1cBkNhyjEjGUi6gKO1re5sc_2Q4Tft SO7p51uAPOfLV4ml.6DlrChofvluok72P746D_RZs8E.eEJN4sqKOc0rBaP2 inrLjSXRtsWQRvy04Lg--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4C7D2B74.8030702@caucho.com>
Date: Tue, 31 Aug 2010 09:19:00 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Hector Santos <hsantos@isdg.net>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net> <4C7C2A33.6010405@caucho.com> <4C7C746F.1040006@isdg.net>
In-Reply-To: <4C7C746F.1040006@isdg.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2010 16:18:46 -0000
Hector Santos wrote: > Scott Ferguson wrote: >>> When not just use the a HTTP.Authorization header? >> >> That's not possible with DIGEST with the current handshake. It is >> possible with BASIC. > > If we are on the same wave length, I don't follow the HTTP AUTH > protocol difference. DIGEST is a challenge/response style authentication, which means it uses a challenge from the server before sending its credentials. BASIC just sends the user and credentials in clear text. The advantage of a challenge/response style like DIGEST is you avoid sending the credentials in the clear. The disadvantage is that you have to wait for the server challenge before proceeding. For HTTP non-browser clients, challenge/response isn't really viable because it adds round trips. But for WebSockets non-browser clients, the server challenge is already built into the protocol, so someone could use a challenge/response authentication with zero extra overhead, and gain the benefit of protecting the credentials from snooping. > >> but I'd like to allow/encourage DIGEST or better for non-browser >> clients (it would be invisible to the application developer). >> >> The DIGEST operation looks something like (numbers are packets): >> >> 1. client's GET/Upgrade - no authentication information >> 2. s_nonce: server challenge (i.e. client needs to wait for a >> round-trip to start.) >> 3. client auth: user, H(s_nonce, H(user, password)) >> > > Oh, I see. I was thinking in terms of two cases: > > 1) Browser Already Authenticated > > In this case, the browser has HTTP.Authorization > > C1: WebSocket GET/Upgrade include HTTP.Authorization > S2: Handles session accordingly > > 2) Browser Not already Authenticated > > C1: WebSocket GET/Upgrade with NO HTTP.Authorization > S2: Issue 401 with HTTP.WWW-Authenticate: scheme > C3: WebSocket Closes Socket, performs login > C4: WebSocket GET/Upgrade include HTTP.Authorization > S5: Handles session accordingly > > What I am wondering is about S2, C3 and C4 in general. That design is basically due to a HTTP limitation because the core HTTP protocol is C1/S2, which WebSockets can fix because its minimal handshake is C1/S2/C3/S4. Because of the extra packets built into the WebSockets handshake, you can merge your C3/C4/S5 into the standard C1/S2/C3/S4 saving a round trip. The authentication handshake would look like: C1: WebSocket GET/Upgrade (no authorization is needed here) S2: WebSocket 101 with BASIC or DIGEST challenge (s_nonce or request for BASIC) C3: Client HELLO/AUTH with the authentication credentials (BASIC or DIGEST) S4: server validation of the credentials. Which is the same as the current handshake: C1: WebSocket GET/Upgrade (no authorization is needed here) S2: WebSocket 101 C3: Client HELLO/AUTH (credentials = 8 random bytes) S4: server validation of the credentials (the 8 random bytes) The only real difference is allowing other credential types beyond the current random bytes. If you think of the 8 random bytes as client authentication, this wouldn't even change the protocol, just allow different authentication schemes than "random bytes." The point I'm making is that the above authorization-required handshake is the exact same as our current non-authorization handshake, i.e. we can piggy-back the authorization without any extra round trips. > > Also probably related, I see no security benefit in this handshake. > The bad guy client can always validate a server handshake response > whether it was correct or not. I don't understand. A bad client can't generate the correct authentication credentials. That's the whole point of authentication. -- Scott
- [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Eric Rescorla
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Brodie Thiesfield
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Hector Santos
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Joe Hildebrand
- Re: [hybi] WebSocket handshake (HTTP and SSO) Adam Barth
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins
- Re: [hybi] WebSocket handshake (HTTP and SSO) Gabriel Montenegro
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Willy Tarreau
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Ian Fette (イアンフェッティ)
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) John Tamplin
- Re: [hybi] WebSocket handshake (HTTP and SSO) Benjamin Black
- Re: [hybi] WebSocket handshake (HTTP and SSO) Scott Ferguson
- Re: [hybi] WebSocket handshake (HTTP and SSO) Greg Wilkins