Re: [hybi] A WebSocket handshake
Willy Tarreau <w@1wt.eu> Thu, 07 October 2010 07:04 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 535763A6BAD for <hybi@core3.amsl.com>; Thu, 7 Oct 2010 00:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.784
X-Spam-Level:
X-Spam-Status: No, score=-2.784 tagged_above=-999 required=5 tests=[AWL=-0.741, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UkyMWmoavYce for <hybi@core3.amsl.com>; Thu, 7 Oct 2010 00:04:04 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id F2FB03A70E2 for <hybi@ietf.org>; Thu, 7 Oct 2010 00:04:03 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o97754dB028910; Thu, 7 Oct 2010 09:05:04 +0200
Date: Thu, 07 Oct 2010 09:05:04 +0200
From: Willy Tarreau <w@1wt.eu>
To: Greg Wilkins <gregw@webtide.com>
Message-ID: <20101007070504.GL25988@1wt.eu>
References: <AANLkTimQ5x-v+Mz_OHrNDdtVd94E+HOBWwo3_f1ktEeg@mail.gmail.com> <AANLkTinw7CpY9d1pW0dEtY9kTLoY6dwoUcXHkLbK7b_q@mail.gmail.com> <AANLkTik4sgV17C_LL9AoJSk0kudk6jDb2N-icZ+DmneX@mail.gmail.com> <AANLkTimpEeOd0dzkLLvrHbyiykZxYHMCxHiSjzSRxC_d@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTimpEeOd0dzkLLvrHbyiykZxYHMCxHiSjzSRxC_d@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] A WebSocket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2010 07:04:05 -0000
On Thu, Oct 07, 2010 at 05:42:10PM +1100, Greg Wilkins wrote: > Exactly - the security architecture of the web makes that safe. > No cookies or credentials for goodguy.somehost.com/secret/ are going > to be sent to evilgenius.somehost.com/attack. That's a good point that you're talking about cookies, Greg, because that's precisely one element which we will definitely need, and which will imply that some parts of the handshake will be variable. Also, I don't see why we should make the handshake stricter than whatever an attacker already has control over in a browser. We just need the handshake to be as robust as any HTTP handshake, not more. If an attacker has control over the browser and the WS handshake does not permit anything, he will still be able to use plain HTTP and have much more control. So we can relax the rules a bit without turning browsers into massive attack sources. Regards, Willy
- Re: [hybi] A WebSocket handshake Adam Barth
- [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Eric Rescorla
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- [hybi] Strawman (was: A WebSocket handshake) S Moonesamy
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Adam Barth