Re: [hybi] A WebSocket handshake
Willy Tarreau <w@1wt.eu> Wed, 06 October 2010 08:19 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D6413A6DE2 for <hybi@core3.amsl.com>; Wed, 6 Oct 2010 01:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.813
X-Spam-Level:
X-Spam-Status: No, score=-2.813 tagged_above=-999 required=5 tests=[AWL=-0.770, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fd3gEHqreD8A for <hybi@core3.amsl.com>; Wed, 6 Oct 2010 01:19:44 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id EBE0E3A68B0 for <hybi@ietf.org>; Wed, 6 Oct 2010 01:19:43 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o968KbgU023107; Wed, 6 Oct 2010 10:20:37 +0200
Date: Wed, 06 Oct 2010 10:20:37 +0200
From: Willy Tarreau <w@1wt.eu>
To: Adam Barth <ietf@adambarth.com>
Message-ID: <20101006082037.GB22844@1wt.eu>
References: <AANLkTimQ5x-v+Mz_OHrNDdtVd94E+HOBWwo3_f1ktEeg@mail.gmail.com> <20101006053400.GC20095@1wt.eu> <AANLkTiknEw7SAQH_fbm-YkXvDpOQZavduM2D+JvpiGDf@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTiknEw7SAQH_fbm-YkXvDpOQZavduM2D+JvpiGDf@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] A WebSocket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2010 08:19:45 -0000
On Tue, Oct 05, 2010 at 11:57:40PM -0700, Adam Barth wrote: > On Tue, Oct 5, 2010 at 10:34 PM, Willy Tarreau <w@1wt.eu> wrote: > > Adam, could you please recheck the importance for this handshake to > > have the invalid hostname ? It really is the only blocking issue I > > can think of. If it is absolutely needed, maybe we could use something > > like "<valid-hostname>.websocket.invalid" instead so that at least the > > server-side components can route the request to the proper location ? > > Using an invalid host name is important because we don't want the > attacker to be able to choose any of the bytes in the initial message. OK I understand your point, but this is no different from what the attacker can already do with plain HTTP. > Of course, virtual hosting is important. We'll probably want to > include the real Host header in the encrypted "additional information" > sent with the initial handshake message so that the WebSocket server > can dispatch the connection to the appropriate virtual host. Except that right now the virtual hosting it handled at the boundary and the websocket will be handled at the internals. That said, the host part of a URL must at least respect the limited charset of the DNS system. We don't have the %-encoding of the plain URLs. Regards, Willy
- Re: [hybi] A WebSocket handshake Adam Barth
- [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Eric Rescorla
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- [hybi] Strawman (was: A WebSocket handshake) S Moonesamy
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Adam Barth