Re: [hybi] Masking only Payload/Extension Data

Greg Wilkins <gregw@webtide.com> Thu, 10 March 2011 13:48 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C89503A69BA for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 05:48:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.114
X-Spam-Level:
X-Spam-Status: No, score=-2.114 tagged_above=-999 required=5 tests=[AWL=-0.137, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnBCdSj4cKB5 for <hybi@core3.amsl.com>; Thu, 10 Mar 2011 05:48:36 -0800 (PST)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by core3.amsl.com (Postfix) with ESMTP id C09DF3A69B4 for <hybi@ietf.org>; Thu, 10 Mar 2011 05:48:35 -0800 (PST)
Received: by vxg33 with SMTP id 33so1827635vxg.31 for <hybi@ietf.org>; Thu, 10 Mar 2011 05:49:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.74.66 with SMTP id r2mr529736vdv.263.1299764993084; Thu, 10 Mar 2011 05:49:53 -0800 (PST)
Sender: gregw@intalio.com
Received: by 10.52.169.39 with HTTP; Thu, 10 Mar 2011 05:49:52 -0800 (PST)
In-Reply-To: <AANLkTik-TNXCMygBu3WqBHyhJWaG-XUTjCdXud9zHOgX@mail.gmail.com>
References: <4D77B885.5050109@callenish.com> <OF36FEDDC6.06951577-ON8825784E.0062343E-8825784E.0066AC27@playstation.sony.com> <AANLkTinau4g1pB_ccJ31u7WRi5npYtHvXE5YRn5uTbeV@mail.gmail.com> <AANLkTikB4YeaYiF_NVGn61c1YxpNWbmEWQZu1WcN+=Jf@mail.gmail.com> <1299704939.2606.238.camel@ds9.ducksong.com> <20110309214212.GA29190@1wt.eu> <AANLkTi=i=8aWg=6+T7=Kn5dWeKkW6MYVCH_CuNkt_ZMM@mail.gmail.com> <AANLkTimip9o0RoZaBfONCmg5nuJVWXjOKDKgAt8zrNVV@mail.gmail.com> <AANLkTikbFBeM6+hiURSBqxFyjc2Wc-yh8UJnZiO+U0JX@mail.gmail.com> <20110310103914.GA32389@1wt.eu> <AANLkTik-TNXCMygBu3WqBHyhJWaG-XUTjCdXud9zHOgX@mail.gmail.com>
Date: Fri, 11 Mar 2011 00:49:52 +1100
X-Google-Sender-Auth: 1DmVS24ocyQ7UPBS7z29osnSlFc
Message-ID: <AANLkTimfv4K9dhw9n2e5FboE2b9kCs8yZKrAb=iEFvAQ@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Joel Martin <hybi@martintribe.org>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Masking only Payload/Extension Data
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2011 13:48:37 -0000

On 10 March 2011 22:05, Joel Martin <hybi@martintribe.org> wrote:
> I suspect most would agree that masking of everything is better than
> stalling the protocol any longer,

I don't think a bad design better than no design.


The reasons that I believe the tiny increase in the attack surface is
an acceptable risk are:

 + there are no known exploits or attacks based on this.
 + controlling the length field is difficult
 + browsers can mitigate by fragmentation
 + the protocol can mitigate by sending hello frames (or ping/pongs)
after handshake

In summary, there are no known (or even imagined) attacks, and if
there were, we have mitigations that are possible that can be applied
by browsers, within the current specification.

cheers