IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Eric Rescorla <ekr@rtfm.com> Sat, 09 October 2010 16:38 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C9133A6874 for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 09:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.7
X-Spam-Level:
X-Spam-Status: No, score=-101.7 tagged_above=-999 required=5 tests=[AWL=0.276, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZMLLKNBHPLb for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 09:38:56 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id F1CE73A68BD for <hybi@ietf.org>; Sat, 9 Oct 2010 09:38:54 -0700 (PDT)
Received: by gyb11 with SMTP id 11so623212gyb.31 for <hybi@ietf.org>; Sat, 09 Oct 2010 09:40:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.84.11 with SMTP id h11mr2348529agb.50.1286642397755; Sat, 09 Oct 2010 09:39:57 -0700 (PDT)
Received: by 10.91.190.1 with HTTP; Sat, 9 Oct 2010 09:39:57 -0700 (PDT)
In-Reply-To: <AANLkTinHjvwRQedG8BqCbWv3u6GidH_2-ZwehS4fuVpv@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <AANLkTingLtQ7q=5jVBe4xZTdNoXbA3N-N8+TJ+yeON-K@mail.gmail.com> <AANLkTinHjvwRQedG8BqCbWv3u6GidH_2-ZwehS4fuVpv@mail.gmail.com>
Date: Sat, 09 Oct 2010 09:39:57 -0700
Message-ID: <AANLkTi=9STxevHLh7jEQ-LnPUadS5hTWtq9NUDKSNnSc@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: multipart/alternative; boundary="0016362837961239e4049231c76d"
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 16:38:58 -0000

On Sat, Oct 9, 2010 at 1:18 AM, Greg Wilkins <gregw@webtide.com> wrote:

> On 9 October 2010 11:43, Adam Barth <ietf@adambarth.com> wrote:
> > I don't know why you think that's so hard to set the response status.
> > There's a PHP function does exactly that:
>
> Interesting - I tested it with apache2 and it does allow 1xx
> responses, even though they are not actually legal HTTP, specially to
> send 1xx responses with message bodies.
>
> But that's why we have defence in depth.
>

Defense in depth is an important security concept, but in general when I
design security systems, my objective is to have each layer of the defense
in depth be something I have a lot of confidence in. Certainly, I'd rather
have a single security layer that I had a very high level of confidence in
than several layers that I only sort-of-trusted.


I tried to spoof the content-length, but apache corrected the wrong
> value so that all the content the php script provided was sent as the
> body of the 101 response.
>
> Also my attempts to send a null character resulted in 501 Method Not
> Implemented responses and a closed connection.


I'm generally not very persuaded by this kind of experiment. There is a huge
diversity
of Web server behaviors and so just because one server doesn't let you do X
doesn't
mean that another server doesn't. It's not really practical to have a
complete survey
of Web server behavior for the vast majority of questions.

Accordingly, I'd like to have a design that makes as minimal
assumptions about the behavior of the target server as possible and I'd like
those
assumptions to be rooted to the extent possible in behaviors which either
(1) are required by standards or (2) are required for the server to function
interoperably at all, if not both. Do you disagree?

-Ekr

v2.23.0 | Report a Bug | By Email