Re: [hybi] About authentication mechanism

Iñaki Baz Castillo <> Wed, 29 June 2011 08:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 752D822800F for <>; Wed, 29 Jun 2011 01:05:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2vB5PhokfCEY for <>; Wed, 29 Jun 2011 01:05:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id BCCE0228006 for <>; Wed, 29 Jun 2011 01:05:32 -0700 (PDT)
Received: by qyk29 with SMTP id 29so721953qyk.10 for <>; Wed, 29 Jun 2011 01:05:32 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id a4mr323590qcf.287.1309334732082; Wed, 29 Jun 2011 01:05:32 -0700 (PDT)
Received: by with HTTP; Wed, 29 Jun 2011 01:05:31 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Wed, 29 Jun 2011 10:05:31 +0200
Message-ID: <>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc:, Greg Wilkins <>
Subject: Re: [hybi] About authentication mechanism
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Jun 2011 08:05:33 -0000

2011/6/29 Ian Fette (イアンフェッティ) <>om>:
> Pass an oauth token,

How? within the subprotocol itself?

> or have the WS server issue some challenge that the JS
> answers

Reinventing the wheel (HTTP Digest auth) but at WS subprotocol level?
So should the JavaScript client *code* perform the challenge in pure
and custom JavaScript code? I expect *lots* of future vulnerabilities
in WS.

Unfortunately it's common in this WG not to reuse existing
technologies (neither reusing DNS SRV for good
load-balancing/failover, neither reusing any existing authentication
mechanism). This is not good IMHO.

> (or presents to the user on behalf of the server if it's really
> necessary), many ways. This is not a new problem.

Even worse, it's not a new problem but it seems that WebSocket draft
authors don't want to deal with it. WebSocket world will become a

So, is it really possible that WebSocket will be the first
client->server protocol without, at least, one solid authentication
mechanism specified? I just can't believe it. Please, WS is not like a
DNS query. WS is supposed to carry personal and private data.

Please don't take me wrong, but IMHO some other people with experience
in Internet protocols other than HTTP should also take a look to this
draft. I don't like the WWW-style of doing things this protocol is
acquiring. The fact that WWW world is a jungle doesn't mean that any
other new protocol (even when related to HTTP) should also be jungle.

I strongly disagree with the direction this draft is taking when
coming to authentication area in WebSocket protocol.


Iñaki Baz Castillo