Re: [hybi] Masking only Payload/Extension Data
David Endicott <dendicott@gmail.com> Thu, 10 March 2011 18:32 UTC
Return-Path: <dendicott@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DBDE83A6B58 for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 10:32:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kx+4XBaNwbz5 for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 10:32:01 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id A92443A67EE for <hybi@ietf.org>; Thu, 10 Mar 2011 10:32:00 -0800 (PST)
Received: by wwa36 with SMTP id 36so1606207wwa.13 for <hybi@ietf.org>; Thu, 10 Mar 2011 10:33:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=sn3OhIKvewH6SYq8WJqZO+8CtAwNo33sVMqJsAo+kHw=; b=KIn9xK0gEsNbTB97/yNw6iansDGSa/gKO7Uf7QUuDwaTGLraySHOaXst7oik/GuiH1 p3W+78gSkKFVo7+shznAM7kFqNPQKbHCPz/9yx+3Q/xOxz/zHE7/KJbxKWsCHTkjLy6J HrEMy7EpObn/JRFwE2ikoxsb7d5CjaBBEMvtg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=RHDHrE79TaU1mF7dhSroKcJ1nqCXkOhzqd5jqSfWMIsUr77cTIvQqKpbzaMysmyfTc i/TST7Cj1X+70DkJmMxGHWGmefzJNyn1nskqm4nVe+qYTTYGEWub5iCCPkcciO7amUI4 fpmLsvVc6cCSlSfIn5+TGzP/6wAf63R1pGBQw=
MIME-Version: 1.0
Received: by 10.216.246.12 with SMTP id p12mr6804549wer.91.1299781997959; Thu, 10 Mar 2011 10:33:17 -0800 (PST)
Received: by 10.216.122.13 with HTTP; Thu, 10 Mar 2011 10:33:17 -0800 (PST)
In-Reply-To: <4D7915FF.50300@callenish.com>
References: <4D77B885.5050109@callenish.com> <OF36FEDDC6.06951577-ON8825784E.0062343E-8825784E.0066AC27@playstation.sony.com> <AANLkTinau4g1pB_ccJ31u7WRi5npYtHvXE5YRn5uTbeV@mail.gmail.com> <AANLkTikB4YeaYiF_NVGn61c1YxpNWbmEWQZu1WcN+=Jf@mail.gmail.com> <1299704939.2606.238.camel@ds9.ducksong.com> <20110309214212.GA29190@1wt.eu> <AANLkTi=i=8aWg=6+T7=Kn5dWeKkW6MYVCH_CuNkt_ZMM@mail.gmail.com> <AANLkTimip9o0RoZaBfONCmg5nuJVWXjOKDKgAt8zrNVV@mail.gmail.com> <AANLkTikbFBeM6+hiURSBqxFyjc2Wc-yh8UJnZiO+U0JX@mail.gmail.com> <4D7915FF.50300@callenish.com>
Date: Thu, 10 Mar 2011 13:33:17 -0500
Message-ID: <AANLkTik557Y=tvpA-CypTgrGpxJTtfscmFuGKi0YEt0d@mail.gmail.com>
From: David Endicott <dendicott@gmail.com>
To: Bruce Atherton <bruce@callenish.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Masking only Payload/Extension Data
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 18:32:01 -0000
Count me in as +1 in favour of no masking. My reasoning being: 1. An application layer using a Websocket API cannot affect the headers, only payload. 2. The Websocket connection is an *established* TCP connection that has already navigated any intermediaries and satisfied their connection requirements. 3. If these intermediaries choose to examine the data being passed through this established connection, then it is their problem if they expose themselves. 4. This alleged intermediary vulnerability would be available via any mal-formed stream, if the intermediary is doing content examination. 5. Masking does not prevent man-in-the-middle attacks as the masking key is included with the frame. 6. Agents that open a bare TCP connection and emulate Websocket allow the attacker to craft custom frames or handshakes. They can of course generate whatever end-result masking they need. So, I conclude that masking does not protect against (a) man-in-the-middle or (b) a malicious application layer, or (c) attack application. Further, since the initial HTTP Upgrade handshake negotiates connection establishment via any intermediary (satisfies proxies, etc.), we must feel free to transmit any data content without worrying we would disturb any hops between endpoints. That is fundamental to the definition of transparent intermediary. On Thu, Mar 10, 2011 at 1:18 PM, Bruce Atherton <bruce@callenish.com> wrote: > Are we voting on this now? If so, add my +1 for the proposal not to mask the > framing. > > On 10/03/2011 2:25 AM, Brian wrote: >> >> By my count, we have six voices in favor so far, including myself: >> Andy Green >> Ytaka Takeda >> Greg Wilkins >> Willy Tarreau >> Joel Martin >> Brian McKelvey >> >> One on record as not having a strong opinion one way or the other: >> Ian Fette >> >> And one opposed: >> Adam Barth >> >> > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi >
- [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data Pat McManus @Mozilla
- Re: [hybi] Masking only Payload/Extension Data Willy Tarreau
- Re: [hybi] Masking only Payload/Extension Data Joel Martin
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Willy Tarreau
- Re: [hybi] Masking only Payload/Extension Data Joel Martin
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Pat McManus @Mozilla
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Patrick McManus
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data Julian Reschke
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Salvatore Loreto