Re: [hybi] I-D Action: draft-ietf-hybi-thewebsocketprotocol-13.txt
Willy Tarreau <w@1wt.eu> Fri, 09 September 2011 14:05 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16BE521F8B40 for <hybi@ietfa.amsl.com>; Fri, 9 Sep 2011 07:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[AWL=-1.857, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zr-dPz20H3E7 for <hybi@ietfa.amsl.com>; Fri, 9 Sep 2011 07:05:05 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id 4FA4E21F8B1F for <hybi@ietf.org>; Fri, 9 Sep 2011 07:05:04 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id p89E6bVQ031686; Fri, 9 Sep 2011 16:06:37 +0200
Date: Fri, 09 Sep 2011 16:06:37 +0200
From: Willy Tarreau <w@1wt.eu>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Message-ID: <20110909140637.GB30240@1wt.eu>
References: <20110831184207.1514.64093.idtracker@ietfa.amsl.com> <0fc901cc6878$1681eec0$0a00a8c0@Venus> <CAH9hSJb2rH+fX0AnekYxsEkHKzb15aHrg_hDQw1baWLiWBF-3w@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C11448BCD04@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com> <20110908211638.GD27297@1wt.eu> <462EDFEF-9BAF-4509-96AF-61D450FCD425@bbn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <462EDFEF-9BAF-4509-96AF-61D450FCD425@bbn.com>
User-Agent: Mutt/1.4.2.3i
Cc: "hybi@ietf.org" <hybi@ietf.org>, Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
Subject: Re: [hybi] I-D Action: draft-ietf-hybi-thewebsocketprotocol-13.txt
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 14:05:06 -0000
On Fri, Sep 09, 2011 at 09:56:48AM -0400, Richard L. Barnes wrote: > > - clients are not required to accept masked frames, so the server MUST NOT > > send masked frames. Whether clients accept or not masked frames has no > > importance. > > > > - In order to ensure intermediary protection, clients MUST mask outgoing > > frames, and servers MUST NOT accept unmasked frames. > > Let's not fool ourselves that having servers reject unmasked frames does anything about intermediary protection. > > If there's a WS stack out there that an attacker can force to send unmasked frames, then the game is already over. The attacker just connects to a server under his control that will accept the unmasked frames, and the gig is up. It's not what I'm targetting at all. My concern is that if we accept that servers don't check, then laziness will win and we'll quickly see a number of clients who won't mask at all because it works. And THEN server-side controlled software will be an issue. By ensuring that servers only accept masked frames, we force clients to always enable masking. Regards, Willy
- Re: [hybi] what's next Peter Saint-Andre
- [hybi] I-D Action: draft-ietf-hybi-thewebsocketpr… internet-drafts
- [hybi] what's next Peter Saint-Andre
- Re: [hybi] what's next Julian Reschke
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] what's next Iñaki Baz Castillo
- Re: [hybi] what's next Alexey Melnikov
- Re: [hybi] what's next Iñaki Baz Castillo
- Re: [hybi] what's next Alexey Melnikov
- Re: [hybi] what's next Iñaki Baz Castillo
- Re: [hybi] what's next Peter Saint-Andre
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Takeshi Yoshino
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Sylvain Hellegouarch
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Sylvain Hellegouarch
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Sylvain Hellegouarch
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Takeshi Yoshino
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Peter Saint-Andre
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Takeshi Yoshino
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Len Holgate
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Tobias Oberstein
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Takeshi Yoshino
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Joel Martin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Tobias Oberstein
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Sylvain Hellegouarch
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Gabriel Montenegro
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Peter Saint-Andre
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Alexey Melnikov
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Gabriel Montenegro
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Joel Martin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Joel Martin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Tobias Oberstein
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Gabriel Montenegro
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Tobias Oberstein
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… SM
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Peter Saint-Andre
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… John Tamplin
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Tobias Oberstein
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… SM
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Ian Fette (イアンフェッティ)
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Gabriel Montenegro
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Greg Wilkins
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Martin J. Dürst
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Takeshi Yoshino
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Willy Tarreau
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Richard L. Barnes
- Re: [hybi] I-D Action: draft-ietf-hybi-thewebsock… Bruce Atherton