IETF Logo Mail Archive

Re: [hybi] A WebSocket handshake

Willy Tarreau <w@1wt.eu> Wed, 06 October 2010 08:19 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D6413A6DE2 for <hybi@core3.amsl.com>; Wed, 6 Oct 2010 01:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.813
X-Spam-Level:
X-Spam-Status: No, score=-2.813 tagged_above=-999 required=5 tests=[AWL=-0.770, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fd3gEHqreD8A for <hybi@core3.amsl.com>; Wed, 6 Oct 2010 01:19:44 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id EBE0E3A68B0 for <hybi@ietf.org>; Wed, 6 Oct 2010 01:19:43 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o968KbgU023107; Wed, 6 Oct 2010 10:20:37 +0200
Date: Wed, 06 Oct 2010 10:20:37 +0200
From: Willy Tarreau <w@1wt.eu>
To: Adam Barth <ietf@adambarth.com>
Message-ID: <20101006082037.GB22844@1wt.eu>
References: <AANLkTimQ5x-v+Mz_OHrNDdtVd94E+HOBWwo3_f1ktEeg@mail.gmail.com> <20101006053400.GC20095@1wt.eu> <AANLkTiknEw7SAQH_fbm-YkXvDpOQZavduM2D+JvpiGDf@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTiknEw7SAQH_fbm-YkXvDpOQZavduM2D+JvpiGDf@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] A WebSocket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2010 08:19:45 -0000

On Tue, Oct 05, 2010 at 11:57:40PM -0700, Adam Barth wrote:
> On Tue, Oct 5, 2010 at 10:34 PM, Willy Tarreau <w@1wt.eu> wrote:
> > Adam, could you please recheck the importance for this handshake to
> > have the invalid hostname ? It really is the only blocking issue I
> > can think of. If it is absolutely needed, maybe we could use something
> > like "<valid-hostname>.websocket.invalid" instead so that at least the
> > server-side components can route the request to the proper location ?
> 
> Using an invalid host name is important because we don't want the
> attacker to be able to choose any of the bytes in the initial message.

OK I understand your point, but this is no different from what the
attacker can already do with plain HTTP.

> Of course, virtual hosting is important.  We'll probably want to
> include the real Host header in the encrypted "additional information"
> sent with the initial handshake message so that the WebSocket server
> can dispatch the connection to the appropriate virtual host.

Except that right now the virtual hosting it handled at the boundary
and the websocket will be handled at the internals. That said, the
host part of a URL must at least respect the limited charset of the
DNS system. We don't have the %-encoding of the plain URLs.

Regards,
Willy

v2.23.0 | Report a Bug | By Email