Re: [hybi] Handshake was: The WebSocket protocol issues.

[Bjoern Hoehrmann <derhoermi@gmx.net>]

* James Graham wrote:
>So there is an underlying issue here that I don't understand. It seems 
>clear to me that Adam and Eric's proposed handshake has a better 
>security story with regard to cross-protocol attacks than -75, -76, or 
>any other proposal other than using NPN with TLS. However there seem to 
>be a number of people who have problems with this proposed handshake to 
>the extent that they are prepared to forgo the security properties in 
>order to get something different. In general people seem to be aware 
>that they are making the security weaker since the arguments are mostly 
>about how different approaches will probably be good enough in practice 
>even though they are theoretically inferior.
>
>What I haven't followed is what the problems with the proposal actually 
>are. I understand that I have likely missed these in other messages, but 
>it would be helpful if people who believe that the proposed approach, or 
>aspects of it, are unworkable could summarise the outstanding issues 
>they see.

The conceptional difference between the CONNECT proposal and the Upgrade
proposal is that the former does not re-use the normal HTTP routing in-
formation (path, host, port) meaning you may have to implement Websocket
at a higher level than you might want to. There seems to be a lack of
data if using CONNECT is problematic and/or beneficial. The only other
part of the proposal is essentially "all traffic should be randomized",
and that has been proposed for either approach.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/