IETF Logo Mail Archive

Re: [hybi] Insight you need to know: Browsers are at fault when servers crash

Adam Barth <ietf@adambarth.com> Mon, 26 July 2010 10:16 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C3173A69F0 for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 03:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.675
X-Spam-Level:
X-Spam-Status: No, score=-1.675 tagged_above=-999 required=5 tests=[AWL=0.302, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AbCLkbkmGAfO for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 03:16:35 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id 648513A6AE1 for <hybi@ietf.org>; Mon, 26 Jul 2010 03:16:32 -0700 (PDT)
Received: by ywa8 with SMTP id 8so428295ywa.31 for <hybi@ietf.org>; Mon, 26 Jul 2010 03:16:53 -0700 (PDT)
Received: by 10.151.63.18 with SMTP id q18mr8648574ybk.100.1280139412748; Mon, 26 Jul 2010 03:16:52 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id n20sm3545143ibe.17.2010.07.26.03.16.51 (version=SSLv3 cipher=RC4-MD5); Mon, 26 Jul 2010 03:16:51 -0700 (PDT)
Received: by iwn38 with SMTP id 38so2877133iwn.31 for <hybi@ietf.org>; Mon, 26 Jul 2010 03:16:50 -0700 (PDT)
Received: by 10.231.174.72 with SMTP id s8mr8584152ibz.41.1280139410895; Mon, 26 Jul 2010 03:16:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.79.85 with HTTP; Mon, 26 Jul 2010 03:16:29 -0700 (PDT)
In-Reply-To: <1453160A-6353-4720-88BA-43D17038B4A7@apple.com>
References: <AANLkTilfxps1wWjFrwrH_3Js6Q9E331AMKFRNHfeHcdL@mail.gmail.com> <AANLkTi=vPAnnK0=gE=YN10vt9b-f6sWXXcwK+La5SriO@mail.gmail.com> <623C6D70-B4AF-49EC-BA07-6F90BD0FFFBF@apple.com> <AANLkTi=Q-PVrdaWuOu3H=wUiphe6JB4C+LauSOXKozoY@mail.gmail.com> <AANLkTi=Z-Zw3gJAdwQMAqG5UUVnV_kgsGm3M_qQ2Bwt7@mail.gmail.com> <8B47440C-7CFD-442F-94E3-96A8EBE7D25D@apple.com> <AANLkTimRo_ubic96z3VgwexiOw0KJg10HQedmcuBs6jp@mail.gmail.com> <FA3856A4-FF29-430E-8BE4-3049F1E33A03@apple.com> <AANLkTim14YJgikfeU9k84xMqtcFt0cdqJQZcsNmvt-Eo@mail.gmail.com> <1453160A-6353-4720-88BA-43D17038B4A7@apple.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 26 Jul 2010 12:16:29 +0200
Message-ID: <AANLkTimT+mNXBoQO5L11_ibv645u8Se5K+GBhP9vKXmj@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: hybi@ietf.org
Subject: Re: [hybi] Insight you need to know: Browsers are at fault when servers crash
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 10:16:37 -0000

On Mon, Jul 26, 2010 at 11:45 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> On Jul 26, 2010, at 12:39 AM, Adam Barth wrote:
>> You can also this this idea at the end
>> of an HTTP-like handshake to get started sending data without waiting
>> for the server to reply.
>
> Doesn't this second design make WebSocket services potentially vulnerable to
> cross-protocol attacks from HTTP? It's easy for the HTTP attacker to make up
> a key and encrypt the attack payload with it, unless the server has to prove
> it understands WebSocket based on part of the handshake that the in-browser
> HTTP attacker can't control before it is allowed to process messages.

I don't quite follow.  You seem to be worried about the WebSocket
server being attacked by a non-WebSocket client.  How does that relate
to whether a WebSocket client waits for the server to acknowledge?

Adam

v2.23.0 | Report a Bug | By Email