Re: [hybi] Masking only Payload/Extension Data
Greg Wilkins <gregw@webtide.com> Thu, 10 March 2011 13:48 UTC
Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C89503A69BA for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 05:48:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.114
X-Spam-Level:
X-Spam-Status: No, score=-2.114 tagged_above=-999 required=5 tests=[AWL=-0.137, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnBCdSj4cKB5 for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 05:48:36 -0800 (PST)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by core3.amsl.com (Postfix) with ESMTP id C09DF3A69B4 for <hybi@ietf.org>; Thu, 10 Mar 2011 05:48:35 -0800 (PST)
Received: by vxg33 with SMTP id 33so1827635vxg.31 for <hybi@ietf.org>; Thu, 10 Mar 2011 05:49:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.74.66 with SMTP id r2mr529736vdv.263.1299764993084; Thu, 10 Mar 2011 05:49:53 -0800 (PST)
Sender: gregw@intalio.com
Received: by 10.52.169.39 with HTTP; Thu, 10 Mar 2011 05:49:52 -0800 (PST)
In-Reply-To: <AANLkTik-TNXCMygBu3WqBHyhJWaG-XUTjCdXud9zHOgX@mail.gmail.com>
References: <4D77B885.5050109@callenish.com> <OF36FEDDC6.06951577-ON8825784E.0062343E-8825784E.0066AC27@playstation.sony.com> <AANLkTinau4g1pB_ccJ31u7WRi5npYtHvXE5YRn5uTbeV@mail.gmail.com> <AANLkTikB4YeaYiF_NVGn61c1YxpNWbmEWQZu1WcN+=Jf@mail.gmail.com> <1299704939.2606.238.camel@ds9.ducksong.com> <20110309214212.GA29190@1wt.eu> <AANLkTi=i=8aWg=6+T7=Kn5dWeKkW6MYVCH_CuNkt_ZMM@mail.gmail.com> <AANLkTimip9o0RoZaBfONCmg5nuJVWXjOKDKgAt8zrNVV@mail.gmail.com> <AANLkTikbFBeM6+hiURSBqxFyjc2Wc-yh8UJnZiO+U0JX@mail.gmail.com> <20110310103914.GA32389@1wt.eu> <AANLkTik-TNXCMygBu3WqBHyhJWaG-XUTjCdXud9zHOgX@mail.gmail.com>
Date: Fri, 11 Mar 2011 00:49:52 +1100
X-Google-Sender-Auth: 1DmVS24ocyQ7UPBS7z29osnSlFc
Message-ID: <AANLkTimfv4K9dhw9n2e5FboE2b9kCs8yZKrAb=iEFvAQ@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Joel Martin <hybi@martintribe.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Masking only Payload/Extension Data
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 13:48:37 -0000
On 10 March 2011 22:05, Joel Martin <hybi@martintribe.org> wrote: > I suspect most would agree that masking of everything is better than > stalling the protocol any longer, I don't think a bad design better than no design. The reasons that I believe the tiny increase in the attack surface is an acceptable risk are: + there are no known exploits or attacks based on this. + controlling the length field is difficult + browsers can mitigate by fragmentation + the protocol can mitigate by sending hello frames (or ping/pongs) after handshake In summary, there are no known (or even imagined) attacks, and if there were, we have mitigations that are possible that can be applied by browsers, within the current specification. cheers
- [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Yutaka_Takeda
- Re: [hybi] Masking only Payload/Extension Data Pat McManus @Mozilla
- Re: [hybi] Masking only Payload/Extension Data Willy Tarreau
- Re: [hybi] Masking only Payload/Extension Data Joel Martin
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Willy Tarreau
- Re: [hybi] Masking only Payload/Extension Data Joel Martin
- Re: [hybi] Masking only Payload/Extension Data Adam Barth
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Ian Fette (イアンフェッティ)
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Pat McManus @Mozilla
- Re: [hybi] Masking only Payload/Extension Data Andy Green
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Patrick McManus
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data Julian Reschke
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Bruce Atherton
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data David Endicott
- Re: [hybi] Masking only Payload/Extension Data Brian
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Greg Wilkins
- Re: [hybi] Masking only Payload/Extension Data John Tamplin
- Re: [hybi] Masking only Payload/Extension Data Salvatore Loreto