IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Alexander Voronin <alexander.voronin@gmail.com> Fri, 24 September 2010 14:50 UTC

Return-Path: <alexander.voronin@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95C9E3A69EF for <hybi@core3.amsl.com>; Fri, 24 Sep 2010 07:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.302
X-Spam-Level:
X-Spam-Status: No, score=-0.302 tagged_above=-999 required=5 tests=[AWL=-0.154, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MxN5VsTgNxO for <hybi@core3.amsl.com>; Fri, 24 Sep 2010 07:50:32 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by core3.amsl.com (Postfix) with ESMTP id 285553A695A for <hybi@ietf.org>; Fri, 24 Sep 2010 07:50:32 -0700 (PDT)
Received: by yxl31 with SMTP id 31so1211688yxl.31 for <hybi@ietf.org>; Fri, 24 Sep 2010 07:51:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=u32as0JT2gGG4syRTkvjs64QJ3FxN9uBMnuOmt4Za8k=; b=HSGUhucbOYBEAp03UAXbJKpDoMosbLeuDP0GDNtKLUslHWorZcrE0kBibZF/LvHlxv UFK8lhWAV/zgV+fGGdzNDR68mSd5daxuJdz71QvciraPmqaTAptBAp6XKgeqGJratGMb FpgJrKKe/YQOrt5nhfPzx3rrhWdO42+pFhTBU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=s/S1CbkLBHNCTQBzL8yv8qP59w+2aOK89Zfe4346w4phhKGTi4oPyKDtyQvLt0l25H yHynk2LWA44cgjCYs9i7ry7SxVaEBAKJec7aCX5L84PD4ye6AvaI3vCYzYo26hZ5JLPB QUWvtIbCIpY0j2CbxZ496BKprD5ozLzd5uBGA=
MIME-Version: 1.0
Received: by 10.90.84.1 with SMTP id h1mr2886328agb.138.1285339863673; Fri, 24 Sep 2010 07:51:03 -0700 (PDT)
Received: by 10.231.152.85 with HTTP; Fri, 24 Sep 2010 07:50:57 -0700 (PDT)
In-Reply-To: <AANLkTi=gqCD=ymNawDYnpRommm2CesrBFqC-eDCpuFvG@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTikczXMx9XSY4jGaVwh5LndRTTLg==+LPj=JmiGk@mail.gmail.com> <AANLkTi=_TYM1vZrZYBoSu+8j9WrSXfaZ42EMRmnF3rnz@mail.gmail.com> <AANLkTi=gqCD=ymNawDYnpRommm2CesrBFqC-eDCpuFvG@mail.gmail.com>
Date: Fri, 24 Sep 2010 17:50:57 +0300
Message-ID: <AANLkTikKgvO28yKrE3X7FrAnssFFkrogwWbYo6pJEsJC@mail.gmail.com>
From: Alexander Voronin <alexander.voronin@gmail.com>
To: John Tamplin <jat@google.com>
Content-Type: multipart/alternative; boundary="0016e64f47d6fd6c5704910281b9"
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 14:50:33 -0000

Intermediates and servers that have no WebSockets support will answer to
handshake with any code but no 101. Is that still not enough to figure out
if WebSocket connection established? Why to make things complex if they
could be simple?

Also I did not get this
article<http://www.ietf.org/mail-archive/web/hybi/current/msg04166.html>by
email, but will answer here. Referenced document provides sample of
cross-protocol attack using HTTP POST on SMTP. POST is a one-stage request
without handshake, WebSocket is a GET extension with handshake, so I guess
does not matter how complicated handshake will be if browser not obey HTTP
rules and continue HTTP session after getting "500 Command unrecognized"
instead of "HTTP/1.1 101 OK". This is not protocol but browser issue.

2010/9/24 John Tamplin <jat@google.com>

> On Fri, Sep 24, 2010 at 5:33 AM, Alexander Voronin
> <alexander.voronin@gmail.com> wrote:
> > To my mind is enough to send 101 or 501 if websocket is not implemented
> on
> > server or intermediary. You are making things too complicated and
> implicit.
>
> The intermediaries we are concerned about have already been written.
> If they were going to be modified to send a 501 back for a WebSocket
> connection,  they might as well just be modified to support
> WebSockets.
>
> So, we want to let existing intermediaries that would currently work
> without change keep working (which means remaining HTTP compliant
> until the server response comes back), and hopefully detect those that
> fail quickly without requiring timeouts.
>
> --
> John A. Tamplin
> Software Engineer (GWT), Google
>



-- 
когда я опустился на самое дно, снизу мне постучали..

v2.23.0 | Report a Bug | By Email