IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Alexander Voronin <alexander.voronin@gmail.com> Mon, 27 September 2010 07:15 UTC

Return-Path: <alexander.voronin@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A95333A67CC for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 00:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.217
X-Spam-Level:
X-Spam-Status: No, score=-0.217 tagged_above=-999 required=5 tests=[AWL=-0.069, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCNW7XmKbiot for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 00:15:23 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 2D7673A6C88 for <hybi@ietf.org>; Mon, 27 Sep 2010 00:15:14 -0700 (PDT)
Received: by yxl31 with SMTP id 31so1838684yxl.31 for <hybi@ietf.org>; Mon, 27 Sep 2010 00:15:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=JDQQnFz/lxBSoVOUKO2BSEx2wpBnjOxb+5Zmv5qKJAk=; b=HuJdl9zGA7t799YzcObXW+6eD7SOkco9QeaMQG/INlfkzsoC/3yZjAyeMS+yag7lpW 29SWj2LgMMUdxlhnh2KNt7eoj145KPS/3I+kZWjCq1Q4aKijOUP9bX6e2MKrypPsQGAm cSU77lhCG8ObUak0YXYwnP9pyk83tOQh2NG5o=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=AXvZOsFRjmf3i/y2FSNWDofYfTFXb6krNCPF4ik4SeJ3kdX/k3v0dA6p8rEI8PoLOw DZeO59PW2S3qTWDrB71sGXjUUEtmrbBteDigvKIiX79BaTXKguqt0JJyu3XidHUGeOtu zo+7aJumpQPxAE4UBlIMH7h2J4ZRc16uV152Y=
MIME-Version: 1.0
Received: by 10.90.36.6 with SMTP id j6mr5366282agj.180.1285571752361; Mon, 27 Sep 2010 00:15:52 -0700 (PDT)
Received: by 10.231.152.85 with HTTP; Mon, 27 Sep 2010 00:15:52 -0700 (PDT)
In-Reply-To: <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com>
Date: Mon, 27 Sep 2010 10:15:52 +0300
Message-ID: <AANLkTikswPyW_02R8zkMTMywOdMJkjmEKsuq_KGKf0Yw@mail.gmail.com>
From: Alexander Voronin <alexander.voronin@gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: multipart/alternative; boundary="0016361644dfa1feaa0491387fde"
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 07:15:24 -0000

Well that's what I've talked about. You have proposed simple and clear
handshake that 100% protects handshake state of WebSocket connection and as
result makes unable to use cross-protocol attacks. It's enough. Why this
handshake was turned to something unimaginably complex? All this new steps
do not protect nothing.

27 сентября 2010 г. 3:44 пользователь Maciej Stachowiak <mjs@apple.com>написал:

>
> Here is an email from February where I summarized some of the risks from
> cross-protocol attacks for WebSocket:
>
> http://www.ietf.org/mail-archive/web/hybi/current/msg01198.html
>
>
>

v2.23.0 | Report a Bug | By Email