[hybi] -09: security considerations

Peter Saint-Andre <stpeter@stpeter.im> Fri, 17 June 2011 16:48 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D12F111E81A7 for <hybi@ietfa.amsl.com>; Fri, 17 Jun 2011 09:48:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.524
X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Ty1HPI-zmmfP for <hybi@ietfa.amsl.com>; Fri, 17 Jun 2011 09:48:51 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im []) by ietfa.amsl.com (Postfix) with ESMTP id 0641211E80E2 for <hybi@ietf.org>; Fri, 17 Jun 2011 09:48:51 -0700 (PDT)
Received: from dhcp-64-101-72-207.cisco.com (dhcp-64-101-72-207.cisco.com []) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 2431C400A5 for <hybi@ietf.org>; Fri, 17 Jun 2011 10:49:17 -0600 (MDT)
Message-ID: <4DFB8571.4090802@stpeter.im>
Date: Fri, 17 Jun 2011 10:48:49 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: "hybi@ietf.org" <hybi@ietf.org>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040401050303090304030805"
Subject: [hybi] -09: security considerations
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2011 16:48:51 -0000

First, I am not a member of the security mafia.

However, the security considerations section seems incomplete to me. I
suggest that the author and WG spend some quality time with RFC 3552
(and with other RFCs that have good discussions of security) to make
this section more robust and complete.

Questions to ask and answer include (but are not limited to):

1. What is the threat model against the architecture assumed in this
document? (And to answer that question, it would help to more clearly
explain the architecture.)

2. How will the protocol address confidentiality?

3. How will the protocol address data integrity?

4. How will the protocol address peer entity authentication?

5. How does the protocol ensure strong security (RFC 3365)?

6. If certificates are to be used, how are they handled (RFC 6125 and
RFC 2818)?

7. What are the mandatory-to-implement TLS ciphersuites?

8. What are the security considerations related to technologies that are
reused in WebSocket (e.g., Base 64 and UTF-8)?

9. What information leaks are possible?

10. What denial of service attacks (RFC 4732) are possible and what
measures can be taken to prevent those attacks?

11. What is the relationship, if any, between the security of the
WebSocket protocol and the security of HTTP? In what ways does this
protocol build on HTTP from a security perspective, and in what ways
does it need additional security mechanisms?

I'm sure the reviewer from the IETF Security Directorate will come up
with more questions than that, so we need to be prepared.

A personal note: in revising RFC 3920 to produce RFC 6120, I put a great
deal of thought and time into writing the security considerations
section, which ended up being 20 pages long. That might be longer than
necessary here, but I think 2 pages is a bit shy of what we need.


Peter Saint-Andre