Re: [hybi] Websocket: two protocols into one, and Internet rules broken
Ian Fette (イアンフェッティ) <ifette@google.com> Thu, 16 June 2011 16:50 UTC
Return-Path: <ifette@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BD1511E8121 for <hybi@ietfa.amsl.com>; Thu, 16 Jun 2011 09:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.676
X-Spam-Level:
X-Spam-Status: No, score=-105.676 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z41dsdauNvIu for <hybi@ietfa.amsl.com>; Thu, 16 Jun 2011 09:50:00 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by ietfa.amsl.com (Postfix) with ESMTP id C0E8011E811B for <hybi@ietf.org>; Thu, 16 Jun 2011 09:49:59 -0700 (PDT)
Received: from kpbe15.cbf.corp.google.com (kpbe15.cbf.corp.google.com [172.25.105.79]) by smtp-out.google.com with ESMTP id p5GGnwH4017677 for <hybi@ietf.org>; Thu, 16 Jun 2011 09:49:58 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1308242998; bh=fiQuFBXLkFor/nnaOnWdUwjMBRo=; h=MIME-Version:Reply-To:In-Reply-To:References:Date:Message-ID: Subject:From:To:Cc:Content-Type; b=fbxFOJHdrK1zsFg5xB0TLN3H0cDMMlV4oUwJnmw613+ukrbL8Fq7ivSe2L2OSeeMh QzAHn2521eNL61WOe6qkQ==
Received: from iwn36 (iwn36.prod.google.com [10.241.68.100]) by kpbe15.cbf.corp.google.com with ESMTP id p5GGnu2B014556 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <hybi@ietf.org>; Thu, 16 Jun 2011 09:49:56 -0700
Received: by iwn36 with SMTP id 36so1611671iwn.36 for <hybi@ietf.org>; Thu, 16 Jun 2011 09:49:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:reply-to:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=RTc130Cj2X2YC1o5S9QSec9Y0XXI/76inUMI/A4Dr9U=; b=hC/T8VQQfD6lMmemJpnb32evE8iDjILFOb5VJ8nKXNQx6iB6r+yt5klCvp6CcHF6X8 xkZyX/5dOk4dEKL0XPUA==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=YUWt7WVWHUjKYebUMMyryA7lJtKf15knF/3k3YjTyz5FFFXNB/5yGhYALMasa3f5Y4 /Kp4bLLbd/yIpq9wCgWg==
MIME-Version: 1.0
Received: by 10.231.60.73 with SMTP id o9mr987188ibh.33.1308242996287; Thu, 16 Jun 2011 09:49:56 -0700 (PDT)
Received: by 10.231.33.8 with HTTP; Thu, 16 Jun 2011 09:49:56 -0700 (PDT)
In-Reply-To: <BANLkTikdUneox_4tpMm-EjXPQEEbN7sF4w@mail.gmail.com>
References: <BANLkTim4pKwx6wYC3WwXFWET+gx0bnjigQ@mail.gmail.com> <4DFA08A5.3010608@weelya.com> <BANLkTi=JGeFmkYcwqQJ_xe=3CGrXwHxHPg@mail.gmail.com> <4DFA1173.9050509@weelya.com> <BANLkTi=LAiw+JvCOc3VPrXnmog7AkSWwCw@mail.gmail.com> <4DFA15E9.50800@weelya.com> <BANLkTikdUneox_4tpMm-EjXPQEEbN7sF4w@mail.gmail.com>
Date: Thu, 16 Jun 2011 09:49:56 -0700
Message-ID: <BANLkTik4y_fRd3pEuPdrwESb7ftdbuvk9w@mail.gmail.com>
From: "Ian Fette (イアンフェッティ)" <ifette@google.com>
To: Joel Martin <hybi@martintribe.org>
Content-Type: multipart/alternative; boundary="0015176f0d2812d94604a5d70f97"
X-System-Of-Record: true
Cc: hybi@ietf.org
Subject: Re: [hybi] Websocket: two protocols into one, and Internet rules broken
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ifette@google.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2011 16:50:04 -0000
Sec-WebSocket-Accept uses a GUID defined in the protocol and the key from the handshake to prove that the remote end is indeed a websocket server as you point out. The other part is that Sec-WebSocket-Accept takes the key from the Sec-WebSocket-Key header, which XHR cannot send and thus the server doesn't have the information necessary to generate the Accept value as there is no key from the client. The original question you link to is basically "why does the server have to answer a challenge", and it breaks down into two parts: 1. Force server to validate that the client is a WebSocket client (by making it use a value from Sec-WebSocket-Key along with the GUID, we ensure that the server actually checks for the presence of Sec-WebSocket-Key.) 2. Let the client validate that the server is actually a WebSocket server (by checking that Sec-WebSocket-Accept is properly computed). #1 lets the server be sure it's not responding to some random XHR request, #2 lets the browser know that it's safe to connect and that it's communicating to a WebSocket server and not some non-WS target. On Thu, Jun 16, 2011 at 8:54 AM, Joel Martin <hybi@martintribe.org> wrote: > I started to try and answer this StackOverflow question about the protocol > text and realized that I didn't understand it as well as I thought: > > http://stackoverflow.com/questions/6372252/why-does-the-server-in-a-websocket-request-have-to-answer-a-challenge > > The question is related to this paragraph (which has been in the drafts for > a while unchanged): > > Finally, the server has to prove to the client that it received the > client's WebSocket handshake, so that the server doesn't accept > connections that are not WebSocket connections. This prevents an > attacker from tricking a WebSocket server by sending it carefully- > crafted packets using |XMLHttpRequest| or a |form| submission. > > I can see how the Sec-WebSocket-Accept would prevent a WebSocket client > from being tricked into connecting to a non-WebSocket server. However, I'm > having difficulty understanding how the Sec-WebSocket-Accept header would > prevent a XMLHttpRequest from succeeding to a WebSockets server since it is > sent from the server. I am aware of the prohibition against "Sec-" headers > in the client to server direction. Is there a requirement that > XMLHttpRequest responses with unrecognized "Sec-" headers be rejected by > user agents (and if so does this only apply in the browser case)? > > It's likely I just don't have enough context to understand the paragraph, > but perhaps it could be clarified a bit. > > Regards, > > Joel Martin > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi > >
- Re: [hybi] Websocket: two protocols into one, and… Anthony Catel
- [hybi] Websocket: two protocols into one, and Int… Iñaki Baz Castillo
- Re: [hybi] Websocket: two protocols into one, and… Iñaki Baz Castillo
- Re: [hybi] Websocket: two protocols into one, and… Anthony Catel
- Re: [hybi] Websocket: two protocols into one, and… Iñaki Baz Castillo
- Re: [hybi] Websocket: two protocols into one, and… Willy Tarreau
- Re: [hybi] Websocket: two protocols into one, and… Anthony Catel
- Re: [hybi] Websocket: two protocols into one, and… Joel Martin
- Re: [hybi] Websocket: two protocols into one, and… Ian Fette (イアンフェッティ)
- Re: [hybi] Websocket: two protocols into one, and… Joel Martin
- Re: [hybi] Websocket: two protocols into one, and… Ian Fette (イアンフェッティ)
- Re: [hybi] Websocket: two protocols into one, and… Willy Tarreau
- Re: [hybi] Websocket: two protocols into one, and… Philipp Serafin
- Re: [hybi] Websocket: two protocols into one, and… Joel Martin
- Re: [hybi] Websocket: two protocols into one, and… Joel Martin
- Re: [hybi] Websocket: two protocols into one, and… Iñaki Baz Castillo
- Re: [hybi] Websocket: two protocols into one, and… Ian Fette (イアンフェッティ)
- Re: [hybi] Websocket: two protocols into one, and… Dave Cridland