Re: [hybi] Why not just use ssh?

"Shelby Moore" <> Thu, 02 September 2010 02:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A7A6B3A68B5 for <>; Wed, 1 Sep 2010 19:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.046
X-Spam-Status: No, score=-1.046 tagged_above=-999 required=5 tests=[AWL=-1.047, BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F5kBwSaHdA9p for <>; Wed, 1 Sep 2010 19:00:11 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 945943A68AE for <>; Wed, 1 Sep 2010 19:00:11 -0700 (PDT)
Received: (qmail 7457 invoked by uid 65534); 2 Sep 2010 02:00:40 -0000
Received: from ([]) (SquirrelMail authenticated user by with HTTP; Wed, 1 Sep 2010 22:00:40 -0400
Message-ID: <>
Date: Wed, 1 Sep 2010 22:00:40 -0400
From: "Shelby Moore" <>
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [hybi] Why not just use ssh?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Sep 2010 02:00:12 -0000

Why do we think cross-protocol a security hole, and then we think
WebSocket protocol is not a security hole?

If there exists protocols which enable certain risky features, such as
sending email (SMTP), what absolute assurance do we have there won't be
some poorly programmed WebSocket servers which expose similar risky

Should we block WebSockets too?

I think the logic necessarily follows that if we are compelled to block
cross-protocol, then we are also compelled to block WebSocket. Lets just
block everything, shut down the internet, that would definity be secure.

This is an example of the failure directed castle security model
(insanity) I described:

Why can't we focus on real security as I described:

P.S. If same origin policy (SOP) is the protection against vulnerable
WebSocket servers, then it would also be for vulernable protocols.