Re: [hybi] hybi Digest, Vol 51, Issue 14

Takeshi Yoshino <tyoshino@google.com> Thu, 06 June 2013 04:18 UTC

Return-Path: <tyoshino@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85F7911E80D3 for <hybi@ietfa.amsl.com>; Wed, 5 Jun 2013 21:18:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dF6Zs+pNIWDt for <hybi@ietfa.amsl.com>; Wed, 5 Jun 2013 21:18:53 -0700 (PDT)
Received: from mail-ea0-x236.google.com (mail-ea0-x236.google.com [IPv6:2a00:1450:4013:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id 36F8E11E80E4 for <hybi@ietf.org>; Wed, 5 Jun 2013 21:18:52 -0700 (PDT)
Received: by mail-ea0-f182.google.com with SMTP id r16so2154038ead.41 for <hybi@ietf.org>; Wed, 05 Jun 2013 21:18:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=y3yk2HRFmEetD5BZhaYuvp9IahpjortEgd4pvI8hN0o=; b=C6TXGIJZPz3PSLRrQl4nmyMoUFY6UbaYsZU/VdEk5Edckl0YoxEHjGAIxk8niNOhJW XzuVxj2nhXxVvMdw2N8YM76ptPyxscE041Qc38w8RGnAlVwPSN3fPodMOONBego6+Xg+ 36VhKiccYIaoESfgTN7j8odAkbrG9odjbuvRhUWuQ/QpHsEB4nPfVTD61ZX1ogks54Wu uVFeu/yHqtkDxN38crPg9NOcMyEjXCK1x9cVxe4ETN8d4BSnZBaLIggzSr2EXgJkWmhg UjTWXYFzCczfvm+ZfA2byFOhBfoq80FnUrtIQuY5gm2SI0t9g7MWAyh5Px8jlhoMR2I8 3PvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=y3yk2HRFmEetD5BZhaYuvp9IahpjortEgd4pvI8hN0o=; b=o71+YTodGGlbVBop+TRDbStkv53Uu1Qh+hbvJC0MUxMK7m7gw5k9Y+QuCkIL590VRz eVzkei55zNZJkumpPDgXgqXQiAe6AoQwj8owu/IK7OWEgzX+b9ZiZ9X5smAS02D/qzmK XZ1+c6w5Y1YnffNGHej7nqB4SoTgd3FUvlof7pZx+OYZaiHVUYmSiOVLMFkWD1Cylngc M3ynfBgzmZWvCxM7vWESIK0Cfu04RSQCoG5ZVrfmEQZQ3Erdf086Qhm02/T17cC56GLB jzxXn9KdSfLZ3CCd+B9gELjykWVJrEWZEjxyf0ZvHcVNvam4+p5HTPmOXVhrOxY2UylE Ohfw==
X-Received: by 10.15.32.142 with SMTP id a14mr31768900eev.152.1370492332117; Wed, 05 Jun 2013 21:18:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.86.67 with HTTP; Wed, 5 Jun 2013 21:18:31 -0700 (PDT)
In-Reply-To: <CANEdHmi7Rvb0SinwVmRBEFJMsVW3bPeOn_3f4qB33NfeYBJj6Q@mail.gmail.com>
References: <mailman.3.1369767603.10801.hybi@ietf.org> <CANEdHmgDD4OCQf009FijtEjU=LzhLoNLZHvXsBxgROmzAyR4+w@mail.gmail.com> <CAH9hSJYfhnmCOF7a9uovsYLObqdXwop35JB6r3PscFwfeO=R=g@mail.gmail.com> <CANEdHmi7Rvb0SinwVmRBEFJMsVW3bPeOn_3f4qB33NfeYBJj6Q@mail.gmail.com>
From: Takeshi Yoshino <tyoshino@google.com>
Date: Thu, 6 Jun 2013 13:18:31 +0900
Message-ID: <CAH9hSJa2OS4BU4h1Ku6Ep-TdVC=e9=jnQu3Fgg9g37abyBCOgw@mail.gmail.com>
To: Scott Morgan <scott@adligo.com>
Content-Type: multipart/alternative; boundary=089e016352109fc63904de749ca5
X-Gm-Message-State: ALoCoQmvGu2mZc67A1iseYR9PWXyjGSquZzMjnTJFIld2j6mV2tpbEER1L8BTUMHNfbBiUlCSS9FjFAsntsIrkKxkWd2eLzmfQL3pvDEnhiTcTFD8b2nDBkUlmgHrN0C0EInUhH8okiGhUAvaljaJdnrd4Fu+XyuuAQZsUV1wKSIEkWowglAxDil4yH0Ml0hvA/HeSL2qhXK
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] hybi Digest, Vol 51, Issue 14
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 04:18:54 -0000

On Sun, Jun 2, 2013 at 2:55 AM, Scott Morgan <scott@adligo.com> wrote:

> On Tue, May 28, 2013 at 10:36 PM, Takeshi Yoshino <tyoshino@google.com>wrote;wrote:
>
...

>  Could you elaborate?
>>
> Yes and actually I am going to change the way I do this after reading the
> rfc.   I am going to use regular http(s) for the authentication part so
> this would change to the following.
>
> 1 Browser sends authentication to the server over https
> 2 Server notes the ip address of the request and responds with a ws url to
> the client if successful ie.  wss://example.com/valid?session=123
> 3 Browser connects to url wss://example.com/valid?session=123
> 4 Server checks the ip address of the original https request with the wss
> connection
>     to make sure they are the same, and takes appropriate action (closes
> the wss connection if they are NOT, or some other appropriate action)
>

I see.


>  1 Browser connects to a wss server
>>> 2 User does some authentication (ie user id, password)
>>> 3 wss server does authentication using user id, password and ip address
>>> (for either some privileges or as a additional authentication parameter
>>> for a success fail style authentication)
>>>
>>
>> That is that only access from some IP address X will have some high
>> privilege?
>>
> Yes the ip address of the user may allow the user to gain additional
> privileges, ie something like;
> John logs in to the Bank from a public computer he can't do much, but see
> the accounts.
> John logs in from his office (and the office ips addresses are marked as
> secure locations)
>   he gets to transfer money
>
>
Sounds fine.


> Note my application is not a bank application, this is just a example.
>
>>
>>
>>>  4 after successful auth message at the browser an the wss connection
>>> is closed
>>>  and a different wss is opened on the same port with a different path in
>>> the url
>>> 5 The wss server only allows the different wss connection to open if
>>> there is a http session from the original wss connection from the same ip
>>> address of the first connection.
>>>
>>
>> Does the server get a session parameter over the new connection and also
>> check the source IP address? Or the server here just checks if there was
>> successful authentication on some prior connection with the same IP address
>> as the new one?
>>
> My main goal was to attempt to validate the IP address of the sender by
> comparing the ip address of multiple connections, (originally both wss, now
> https and wss).
>

Even without multiplexing, it's possible that both auth and application
traffic come over the same TCP connection. RFC 6455 doesn't prohibit using
the same TCP connection for HTTPS and WSS. It's not about multiplexing but
keep-alive. IIRC, it's still under discussion but technically you can do an
HTTPS for auth and then send WS handshake on the same connection.