IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Ian Fette (イアンフェッティ) <ifette@google.com> Thu, 02 September 2010 00:48 UTC

Return-Path: <ifette@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF23A3A6A0F for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 17:48:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.464
X-Spam-Level:
X-Spam-Status: No, score=-105.464 tagged_above=-999 required=5 tests=[AWL=0.212, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFNpSuRAedIE for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 17:48:52 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 41EE23A684D for <hybi@ietf.org>; Wed, 1 Sep 2010 17:48:52 -0700 (PDT)
Received: from hpaq3.eem.corp.google.com (hpaq3.eem.corp.google.com [172.25.149.3]) by smtp-out.google.com with ESMTP id o820nLqk016562 for <hybi@ietf.org>; Wed, 1 Sep 2010 17:49:21 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1283388562; bh=54V52clKD+mHaOjfbHaJ7AzRtyU=; h=MIME-Version:Reply-To:In-Reply-To:References:Date:Message-ID: Subject:From:To:Cc:Content-Type; b=TSy9pTGdBswfzDOgCcscRV3YKgXiLtYOSxhm9nmge/oDq5d5ijP8M0OeKu484WqJG JLRfbD3z6v+lTD51bRw4Q==
Received: from qwa26 (qwa26.prod.google.com [10.241.193.26]) by hpaq3.eem.corp.google.com with ESMTP id o820nJoJ025657 for <hybi@ietf.org>; Wed, 1 Sep 2010 17:49:20 -0700
Received: by qwa26 with SMTP id 26so5205990qwa.20 for <hybi@ietf.org>; Wed, 01 Sep 2010 17:49:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type; bh=WonXc5wS8UBtjlJ8p4y+L6WK9fd/JvSdUkVvQb1VQQA=; b=o39IzbB8Y3iP6lPmoAdSazvPEpSBgA9uRU8HagOtTCs3fEuRZC4QGIPsEOa2rsgobn ucEFtsUb5KeVrhrgVvdw==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=giKEoBM09d53ptKZXP24ryUCsP7xnL9B+TtOc8g1PFvK0DTudn3saHpHfuyz3EIrWk M/cLz414tglJR1BhUBEg==
MIME-Version: 1.0
Received: by 10.224.29.16 with SMTP id o16mr5691316qac.294.1283388559113; Wed, 01 Sep 2010 17:49:19 -0700 (PDT)
Received: by 10.229.13.225 with HTTP; Wed, 1 Sep 2010 17:49:18 -0700 (PDT)
In-Reply-To: <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFDC74@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
References: <AANLkTin4qBCJUjkgncV6okBPAJvTRfu+_uRUcnTsXArp@mail.gmail.com> <C8A440CA.34665%joe.hildebrand@webex.com> <AANLkTikiRDExYMMssa=Pa4K1pHHM8xmfzXh9dEvuwQhY@mail.gmail.com> <CA566BAEAD6B3F4E8B5C5C4F61710C110FAFDC74@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
Date: Wed, 01 Sep 2010 17:49:18 -0700
Message-ID: <AANLkTikW-txD=BCOfszoeEFE1qhLi_4ziAVi4cG-EEC2@mail.gmail.com>
From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
To: Gabriel Montenegro <gmonte@microsoft.com>
Content-Type: multipart/alternative; boundary="0015175ce0542cbd1b048f3c2fb2"
X-System-Of-Record: true
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ifette@google.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 00:48:53 -0000

In my mind, what would really help is a specific enumeration of attacks with
some minimal amount of information as reference, rather than only saying
"protect against cross protocol attacks." There are some experts in the
group who have much of this in their head, for the rest of us, it's really
nice to have a list that we can evaluate alternate proposals against, and
verify that "Yes, proposal X protects against attacks 1-5, while Proposal Y
misses attack 4."

Otherwise, it's really hard to have concrete discussions IMO.

On Wed, Sep 1, 2010 at 5:18 PM, Gabriel Montenegro <gmonte@microsoft.com>wrote:

> I would hope that a potential simplification of this is still possible,
> specially if it does not water down whatever guarantees it is supposed to
> provide. I was assuming we would revisit this in the next phase after the
> framing got solidified.
>
> > -----Original Message-----
> > From: hybi-bounces@ietf.org [mailto:hybi-bounces@ietf.org] On Behalf Of
> Greg
> > Wilkins
> > Sent: Wednesday, September 01, 2010 5:04 PM
> > To: Joe Hildebrand
> > Cc: hybi; Brodie Thiesfield
> > Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
> >
> > On 2 September 2010 09:41, Joe Hildebrand <joe.hildebrand@webex.com>
> > wrote:
> > > On 9/1/10 5:30 PM, "Greg Wilkins" <gregw@webtide.com> wrote:
> > >
> > >> Sec-WebSocket-Key1: the ietf process failed 12345678
> > >
> > > It's too early to declare that, I hope.
> > >
> > > Let's start by understanding the requirement.  Gabriel, it looks like
> we
> > > don't have anything that addresses the rationale behind this
> handshaking
> > > approach in the requirements draft -- do you concur?
> >
> > Joe,
> >
> > as Adam pointed out, I think we do have consensus on the general
> > requirement - ie that we should protect against cross protocol
> > attacks.
> > While I don't think everybody agreed about the possibility of an
> > injection attack, I think there were very few who did not accept that
> > a nonce was a good idea.
> >
> > It is just that when the nonce was added to the draft, it came with a
> > unilaterally invented non discussed encoding of random characters and
> > spaces.  It was also used as part of a fast fail attempt that has
> > further confused the issue.
> > I agree with John that this is not a huge technical issue, but I think
> > the strangeness of the encoding causes confusion, clouds the real
> > issue and is a potential ongoing cause of misunderstandings.
> >
> > Anyway, I've used up my message quota on this issue, so I'll let it
> > go.  I think the process failed letting this get into an ietf WG draft
> > in the first place, but it wont be the end of the world if it stays
> > in.
> >
> > cheers
> > _______________________________________________
> > hybi mailing list
> > hybi@ietf.org
> > https://www.ietf.org/mailman/listinfo/hybi
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email