IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Greg Wilkins <gregw@webtide.com> Mon, 30 August 2010 21:37 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 363993A6870 for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 14:37:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.753
X-Spam-Level:
X-Spam-Status: No, score=-1.753 tagged_above=-999 required=5 tests=[AWL=0.224, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQi2lGq5+0By for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 14:37:10 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id 277523A6866 for <hybi@ietf.org>; Mon, 30 Aug 2010 14:37:10 -0700 (PDT)
Received: by gyc15 with SMTP id 15so1799142gyc.31 for <hybi@ietf.org>; Mon, 30 Aug 2010 14:37:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.8.2 with SMTP id 2mr5346540anh.165.1283204260710; Mon, 30 Aug 2010 14:37:40 -0700 (PDT)
Received: by 10.100.248.12 with HTTP; Mon, 30 Aug 2010 14:37:40 -0700 (PDT)
In-Reply-To: <4C7BF060.7070501@isdg.net>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net>
Date: Tue, 31 Aug 2010 07:37:40 +1000
Message-ID: <AANLkTim=yKrVkRFhJow=+C91_Pfe6UsyyY3G-4i+o4fZ@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Hector Santos <hsantos@isdg.net>
Content-Type: text/plain; charset="UTF-8"
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 21:37:11 -0000

On 31 August 2010 03:54, Hector Santos <hsantos@isdg.net> wrote:
> Scott Ferguson wrote:
>> If we just punt and make applications write their own authentication
>> instead of piggybacking on the handshake, it would cost an extra round trip.
>
> But you also can't prevent this

+1

The handshake is a HTTP request that in many cases will be directed at
a general purpose HTTP server running applications that often have
sophisticated and mandated authentication mechanisms.

It may be difficult for deployers to get an exception to a deployment
policy that says: "all web applications will use XYZ authentication",
so any inability for the handshake to penetrate work with common
authentication mechanisms will an impediment to deployment.   Allowing
authentication exceptions for websocket handshakes may complicate
authentication schemes and increase risk of human error creating
security holes. Even if authentication exceptions are allowed for the
websocket, human error will mean that sometime wrong URL will be used
and the ws handshake will see authentication failures, so at the very
least these need to be handled in a reasonable way.

I really don't think we want to be in the game of: "oh you are using
XyZ authentication! why do you want to use that? You can use WS if
only you change to use PqY authentication".  We should just work with
commonly deployed HTTP authentication mechanisms, even if we think
they are rubbish etc.


cheers

v2.23.0 | Report a Bug | By Email