Re: [hybi] WebSocket handshake (HTTP and SSO)

[Hector Santos <hsantos@isdg.net>]

Scott Ferguson wrote:
> Hector Santos wrote:
>> If we are on the same wave length, I don't follow the HTTP AUTH 
>> protocol difference.
> 
> DIGEST is a challenge/response style authentication, which means it uses 
> a challenge from the server before sending its credentials. BASIC just 
> sends the user and credentials in clear text.

Sorry, missed this (not so) subtle point. BASIC does not require an 
initial server challenge hence it can work unsolicited.

> The point I'm making is that the above authorization-required handshake 
> is the exact same as our current non-authorization handshake, i.e. we 
> can piggy-back the authorization without any extra round trips.

Ok, I trust your engineering here to see this.

>> Also probably related, I see no security benefit in this handshake. 
>> The bad guy client can always validate a server handshake response 
>> whether it was correct or not.
> 
> I don't understand. A bad client can't generate the correct 
> authentication credentials. That's the whole point of authentication.

I was referring to the websocket client random data and the websocket 
server "reassembly" and response.

Using the specs to model in my recent "proof of concept" work, I had a 
devil of a time getting it right causing the browser (chrome) to 
continue returning an INVALID_STATE_ERR and never firing OnOpen. It 
never set the websocket.readyState to 1 (open).

Well, bad guys will most like implement websocket clients which ignore 
the server response (always accept it) and simply move the ready state 
to open, and fire the onOpen.  I didn't see how this challenge helps 
except maybe to mitigate MITM threats.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com