IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Alexander Voronin <alexander.voronin@gmail.com> Fri, 24 September 2010 09:51 UTC

Return-Path: <alexander.voronin@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 29A1F3A69E6 for <hybi@core3.amsl.com>; Fri, 24 Sep 2010 02:51:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.379
X-Spam-Level:
X-Spam-Status: No, score=-0.379 tagged_above=-999 required=5 tests=[AWL=-0.231, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32hiGHHMhKEi for <hybi@core3.amsl.com>; Fri, 24 Sep 2010 02:51:39 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 16A193A6AB3 for <hybi@ietf.org>; Fri, 24 Sep 2010 02:51:38 -0700 (PDT)
Received: by yxl31 with SMTP id 31so1099475yxl.31 for <hybi@ietf.org>; Fri, 24 Sep 2010 02:52:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=baM1g28/vFkZSSaHLx3bp62yC6MOCa55HO8NtYpREes=; b=XA3dUp9oKiwE8JiI25gnKUPJPHaU1m6+E88ZppeVIzd+dQGdP46GWnC6VqyX8aW1nh PoIkE9Q7zBppLW03j5wbWi5VbNNxumhW49SgLe2EXh5J+WAhuBPNDpm4nrzP/vBOvCNn 1PBwmz3krO9cZe5lVH3/AzaJSRm3Irbkd+N5o=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=cAe3j18BGjQR7wZqCfu6e7Igr56rYTzFPFM+DI9PkImAh4JzrTMYJaLdeme2OkPMrh a6PM5PfzqpsiancQBaGJZ2duK2x8vvHScxAuB7vCMC33kP5mxf7Y20ViV3v3eWUF0lSN qQUqFikXgvSiTkzbrD//PQ+EMB8Y1tkedV9ag=
MIME-Version: 1.0
Received: by 10.90.73.10 with SMTP id v10mr2826127aga.95.1285321930124; Fri, 24 Sep 2010 02:52:10 -0700 (PDT)
Received: by 10.231.152.85 with HTTP; Fri, 24 Sep 2010 02:52:10 -0700 (PDT)
In-Reply-To: <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com>
Date: Fri, 24 Sep 2010 12:52:10 +0300
Message-ID: <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com>
From: Alexander Voronin <alexander.voronin@gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: multipart/alternative; boundary="00163630ef89112cea0490fe5548"
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 09:51:40 -0000

What kind of cross-protocol attacks You are talking about all this time?
Using simplest handshake with framed data transfer and relied on browser
security policies it seems to be impossible. Do You have any real examples
on this?

2010/9/24 Maciej Stachowiak <mjs@apple.com>

>
>
> This proposal does not appear to defend against a cross-protocol attack on
> a WebSocket server using a browser-hosted HTTP API.
>
> It also appears to add more round trips before actual message sending can
> begin in either direction.
>
> Regards,
> Maciej
>
>
>


-- 
когда я опустился на самое дно, снизу мне постучали..

v2.23.0 | Report a Bug | By Email