Re: [hybi] I-D Action: draft-ietf-hybi-thewebsocketprotocol-09.txt
Patrick McManus <pmcmanus@mozilla.com> Wed, 15 June 2011 00:35 UTC
Return-Path: <pmcmanus@mozilla.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A907621F84E9 for <hybi@ietfa.amsl.com>; Tue, 14 Jun 2011 17:35:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_14=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RwDngaH0D5Lf for <hybi@ietfa.amsl.com>; Tue, 14 Jun 2011 17:35:35 -0700 (PDT)
Received: from linode.ducksong.com (linode.ducksong.com [64.22.125.164]) by ietfa.amsl.com (Postfix) with ESMTP id ACE7D21F8480 for <hybi@ietf.org>; Tue, 14 Jun 2011 17:35:35 -0700 (PDT)
Received: by linode.ducksong.com (Postfix, from userid 1000) id F126010193; Tue, 14 Jun 2011 20:35:34 -0400 (EDT)
Received: from [192.168.16.226] (cpe-67-253-92-25.maine.res.rr.com [67.253.92.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by linode.ducksong.com (Postfix) with ESMTPSA id 9C92510154; Tue, 14 Jun 2011 20:35:30 -0400 (EDT)
From: Patrick McManus <pmcmanus@mozilla.com>
To: Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
In-Reply-To: <CA566BAEAD6B3F4E8B5C5C4F61710C11403256BF@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
References: <20110613233745.27187.94588.idtracker@ietfa.amsl.com> <BANLkTik3Lgp9H4EW1BwRj=n+OQFz6YN547A4y69SysoF7UXnzw@mail.gmail.com> <1308062227.1944.162.camel@ds9> <BANLkTim3PT8y3+u-99BRVb1WwzFUZyxAXQ@mail.gmail.com> <1308074802.1944.175.camel@ds9> <4DF7A9ED.3000609@warmcat.com> <CA566BAEAD6B3F4E8B5C5C4F61710C11403256BF@TK5EX14MBXW603.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 14 Jun 2011 20:35:26 -0400
Message-ID: <1308098126.1944.194.camel@ds9>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] I-D Action: draft-ietf-hybi-thewebsocketprotocol-09.txt
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 00:35:36 -0000
On Tue, 2011-06-14 at 22:43 +0000, Gabriel Montenegro wrote: > Whatever it is, it is best if both RSV and Opcode are handled the same way (either always fail the connection or always ignore) > > Does this clarify? Do folks agree that revising to failing in both cases is fine? Yes, thanks. (yes both to clarification and failing both). I've been talking with our security team and they are pretty strongly of the point of view that violations of the RSV and Opcode MUSTs need to result in failing the connection. That is what we did in our -07 implementation when the error handling was undefined. Silently redacting messages from the application stream by dropping is considered tatamount to corruption and is a security risk for the application. There is a similar reaction to the -08+ requirement that (paraphrased) non UTF-8 sequences are interpreted as U+FFFD. Silently rewriting the data is frowned on from a security pov. We are considering just failing such a non-conformant connection (and I suppose becoming non-conformant ourselves by doing so.). -Patrick
- [hybi] I-D Action: draft-ietf-hybi-thewebsocketpr… internet-drafts
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Dirkjan Ochtman
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Takeshi Yoshino
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Patrick McManus
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Patrick McManus
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Patrick McManus
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Andy Green (林安廸)
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Gabriel Montenegro
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Patrick McManus
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Simon Pieters
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Patrick McManus
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Greg Wilkins
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Greg Wilkins
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Dirkjan Ochtman
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Martin J. Dürst
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Salvatore Loreto
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Julian Reschke
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Salvatore Loreto
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Greg Wilkins
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Iñaki Baz Castillo
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Patrick McManus