IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Gabriel Montenegro <gmonte@microsoft.com> Thu, 02 September 2010 00:18 UTC

Return-Path: <gmonte@microsoft.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 078AC3A68E2 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 17:18:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.561
X-Spam-Level:
X-Spam-Status: No, score=-10.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWPvUHIKO7-h for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 17:18:13 -0700 (PDT)
Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by core3.amsl.com (Postfix) with ESMTP id E6E973A6814 for <hybi@ietf.org>; Wed, 1 Sep 2010 17:18:12 -0700 (PDT)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 1 Sep 2010 17:18:43 -0700
Received: from TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com (157.54.71.68) by TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.1.218.10; Wed, 1 Sep 2010 17:18:43 -0700
Received: from TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com ([169.254.5.40]) by TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.68]) with mapi; Wed, 1 Sep 2010 17:18:43 -0700
From: Gabriel Montenegro <gmonte@microsoft.com>
To: Greg Wilkins <gregw@webtide.com>, Joe Hildebrand <joe.hildebrand@webex.com>
Thread-Topic: [hybi] WebSocket handshake (HTTP and SSO)
Thread-Index: AQHLR81PWBrLERV650eFlZzLm/aTVpL5nqyAgAAaZACAAAv2gIAACyGAgADUa4CAABoCAIAARO6AgABYf4CAANotAIAAONQAgABjvoCAAC0YgIAAVgMAgAB3fQCAAHOmgIAAAycAgAAGW4D//45OIA==
Date: Thu, 02 Sep 2010 00:18:52 +0000
Message-ID: <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFDC74@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
References: <AANLkTin4qBCJUjkgncV6okBPAJvTRfu+_uRUcnTsXArp@mail.gmail.com> <C8A440CA.34665%joe.hildebrand@webex.com> <AANLkTikiRDExYMMssa=Pa4K1pHHM8xmfzXh9dEvuwQhY@mail.gmail.com>
In-Reply-To: <AANLkTikiRDExYMMssa=Pa4K1pHHM8xmfzXh9dEvuwQhY@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 00:18:14 -0000

I would hope that a potential simplification of this is still possible, specially if it does not water down whatever guarantees it is supposed to provide. I was assuming we would revisit this in the next phase after the framing got solidified.

> -----Original Message-----
> From: hybi-bounces@ietf.org [mailto:hybi-bounces@ietf.org] On Behalf Of Greg
> Wilkins
> Sent: Wednesday, September 01, 2010 5:04 PM
> To: Joe Hildebrand
> Cc: hybi; Brodie Thiesfield
> Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
> 
> On 2 September 2010 09:41, Joe Hildebrand <joe.hildebrand@webex.com>
> wrote:
> > On 9/1/10 5:30 PM, "Greg Wilkins" <gregw@webtide.com> wrote:
> >
> >> Sec-WebSocket-Key1: the ietf process failed 12345678
> >
> > It's too early to declare that, I hope.
> >
> > Let's start by understanding the requirement.  Gabriel, it looks like we
> > don't have anything that addresses the rationale behind this handshaking
> > approach in the requirements draft -- do you concur?
> 
> Joe,
> 
> as Adam pointed out, I think we do have consensus on the general
> requirement - ie that we should protect against cross protocol
> attacks.
> While I don't think everybody agreed about the possibility of an
> injection attack, I think there were very few who did not accept that
> a nonce was a good idea.
> 
> It is just that when the nonce was added to the draft, it came with a
> unilaterally invented non discussed encoding of random characters and
> spaces.  It was also used as part of a fast fail attempt that has
> further confused the issue.
> I agree with John that this is not a huge technical issue, but I think
> the strangeness of the encoding causes confusion, clouds the real
> issue and is a potential ongoing cause of misunderstandings.
> 
> Anyway, I've used up my message quota on this issue, so I'll let it
> go.  I think the process failed letting this get into an ietf WG draft
> in the first place, but it wont be the end of the world if it stays
> in.
> 
> cheers
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi

v2.23.0 | Report a Bug | By Email