Re: [hybi] Fwd: Gen-ART last call review of draft-ietf-hybi-thewebsocketprotocol-10

John Tamplin <> Thu, 21 July 2011 03:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 63A1521F8579 for <>; Wed, 20 Jul 2011 20:57:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -105.887
X-Spam-Status: No, score=-105.887 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Na5Blm0eyyBJ for <>; Wed, 20 Jul 2011 20:57:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A1EA621F8572 for <>; Wed, 20 Jul 2011 20:57:48 -0700 (PDT)
Received: from ( []) by with ESMTP id p6L3vlRX018976 for <>; Wed, 20 Jul 2011 20:57:47 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=beta; t=1311220667; bh=+RlHmW7A00SKBzSNhsLZWYRTH0o=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=VA94uJ+KJZazCV2Cqwo/kTT/2n+jTNgxpUiLmFY8M0Cn2gYM5M54rwJl0rsiH5K0A /qATO7eTdPjJ00nfEhl9Q==
DomainKey-Signature: a=rsa-sha1; s=beta;; c=nofws; q=dns; h=dkim-signature:mime-version:in-reply-to:references:from:date: message-id:subject:to:cc:content-type: content-transfer-encoding:x-system-of-record; b=QEImGa03qUTz6eOhWaz8/2R90gZP3hjBmfQBKRMKzOXBQWcR6PUxkNe0IceiSbVyj p38k07URXBWzP6EFHhrEQ==
Received: from gyg10 ( []) by with ESMTP id p6L3ux05026416 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <>; Wed, 20 Jul 2011 20:57:46 -0700
Received: by gyg10 with SMTP id 10so473586gyg.26 for <>; Wed, 20 Jul 2011 20:57:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=gNp7yrnmOwXRXRrq4a7NZgSH7U/cvv5GSIc+VuQGyss=; b=o1WkJQ5V+vxpwwq5CNJFdtA5eFjDbQFuN+zqgmW4mFTiX6AmYjwwuzQikxBwHmYypH RWA38DPSG+1MFDhSNA+A==
Received: by with SMTP id o13mr94099ybd.287.1311220666104; Wed, 20 Jul 2011 20:57:46 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 20 Jul 2011 20:57:26 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: John Tamplin <>
Date: Wed, 20 Jul 2011 23:57:26 -0400
Message-ID: <>
To: David Endicott <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc:, "" <>
Subject: Re: [hybi] Fwd: Gen-ART last call review of draft-ietf-hybi-thewebsocketprotocol-10
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jul 2011 03:57:49 -0000

On Wed, Jul 20, 2011 at 11:44 PM, David Endicott <> wrote:
> Giving me qualms of plausibility.  But I would challenge instead that this
> is a fault of the intermediaries and not our problem.

Sure. But the publication of the research led Safari and Firefox to
disable draft versions of WebSocket in their browsers because they
didn't want to be on the news for "Browser <xxx> led to an attack on
<yyy> thousand users ...".

By the nature of transparent intermediaries, it is hard to discern
information about them to do anything sensible with vulnerable ones,
such as disallow WebSocket operation, notify administrators, etc.

You could say users browsing to sites containing hostile code or
phishing is the fault of the user and it is their problem, but browser
vendors still want to help prevent damage to such users.

> I don't believe anyone suggested raw TCP sockets.    In John's example, he
> is referring strictly to browser clients.   As a programmer guy, I can write
> a websocket client in whatever language I want and pretend to be a websocket
> as polite or malicious as I want.

Certainly you can write WebSocket clients other than browsers.
However, most of the security restrictions come about because it is to
be used by a browser executing potentially hostile code.  If you
aren't a browser and are running your code directly on the client
machine, then obviously you can already do whatever you want.

John A. Tamplin
Software Engineer (GWT), Google