Re: [hybi] A WebSocket handshake
Greg Wilkins <gregw@webtide.com> Thu, 07 October 2010 02:41 UTC
Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BF323A7251 for <hybi@core3.amsl.com>; Wed, 6 Oct 2010 19:41:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.744
X-Spam-Level:
X-Spam-Status: No, score=-1.744 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Emk9sX4xiWKQ for <hybi@core3.amsl.com>; Wed, 6 Oct 2010 19:41:34 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 7B0823A7233 for <hybi@ietf.org>; Wed, 6 Oct 2010 19:41:34 -0700 (PDT)
Received: by iwn10 with SMTP id 10so394568iwn.31 for <hybi@ietf.org>; Wed, 06 Oct 2010 19:42:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.190.75 with SMTP id dh11mr98623ibb.189.1286419355315; Wed, 06 Oct 2010 19:42:35 -0700 (PDT)
Received: by 10.231.39.199 with HTTP; Wed, 6 Oct 2010 19:42:35 -0700 (PDT)
In-Reply-To: <AANLkTimZmabfm=rYoREGLhqJNP0SDhH_zL7V8onpGmKj@mail.gmail.com>
References: <AANLkTimQ5x-v+Mz_OHrNDdtVd94E+HOBWwo3_f1ktEeg@mail.gmail.com> <FE64D506-EB87-42D1-BFD3-AC3DC74A3599@brandedcode.com> <AANLkTimZmabfm=rYoREGLhqJNP0SDhH_zL7V8onpGmKj@mail.gmail.com>
Date: Thu, 07 Oct 2010 13:42:35 +1100
Message-ID: <AANLkTindR-gx6RwwbKmrczN=TFwfoKi_OxKuPSuzYn-s@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Hybi <hybi@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [hybi] A WebSocket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2010 02:41:38 -0000
On 7 October 2010 01:21, Adam Barth <ietf@adambarth.com> wrote: > We'll put the WebSocket URL in the additional information that comes > with the initial message. We can either break that up into a request > line and a Host header, or we can just include the whole URL as such. I think you make the server more vulnerable to DOS attacks by delaying consideration of the URL and subprotocol. Frequently servers will run many applications on many virtual hosts, real hosts and context paths. Only a subset of these may support websockets. This proposal would mean that the server would need to accept the connection and thus cause the client onOpen even to first, before it had validated the connection was to an application that can handle websocket. While I don't see any new vulnerability flowing directly from this, I believe that it is not a desirable state of affairs from either a security or resource allocation point of view. > The point of putting in the additional information is so that it can > be encrypted, preventing the attacker from choosing any of the bytes > on the wire. If we really are going to have a content free handshake that exchanges keys so that the rest of the connection can be encrypted - then we should just use TLS. I see little value and significant risks in inventing some TLS-lite handshake. I think that we should improve the upgrade proposal to the best we can, and consider a concrete TLS proposal, and then we can consider if we support one or the other or both. regards
- Re: [hybi] A WebSocket handshake Adam Barth
- [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Eric Rescorla
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Greg Wilkins
- Re: [hybi] A WebSocket handshake Willy Tarreau
- Re: [hybi] A WebSocket handshake Adam Barth
- [hybi] Strawman (was: A WebSocket handshake) S Moonesamy
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Adam Barth
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Maciej Stachowiak
- Re: [hybi] A WebSocket handshake Adam Barth