Re: [hybi] Handshake was: The WebSocket protocol issues.
Scott Ferguson <ferg@caucho.com> Sat, 02 October 2010 17:38 UTC
Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 312C63A6C81 for <hybi@core3.amsl.com>; Sat, 2 Oct 2010 10:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.497
X-Spam-Level:
X-Spam-Status: No, score=-2.497 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RE+DHM0esO81 for <hybi@core3.amsl.com>; Sat, 2 Oct 2010 10:38:16 -0700 (PDT)
Received: from smtp112.biz.mail.mud.yahoo.com (smtp112.biz.mail.mud.yahoo.com [209.191.68.77]) by core3.amsl.com (Postfix) with SMTP id 24D103A6D8C for <hybi@ietf.org>; Sat, 2 Oct 2010 10:38:11 -0700 (PDT)
Received: (qmail 913 invoked from network); 2 Oct 2010 17:38:56 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp112.biz.mail.mud.yahoo.com with SMTP; 02 Oct 2010 10:38:56 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: sePplQwVM1mgcsPa97HkjuV3_AG2qgSSLt3.MxK6_E4JMwp 8fMNFfINggoAzHjWX9ApVyfe4skc6l0R.Bj0y_2D4nNLnVLo0mgy9lyCIWER pkUUV3VkVyTURBEpsMp_GQ7ApKPu0UlbJOpIBb7ZKrWXeFYbX7dOk6rRPOzK FdqV.qV26y65oGTUXe7qrU_qUgpwN9W6NPETlQKdXMNh1WO8PZUExiLas.ir Odz63peHe77L1lDCeISWT8tns_hLxCNnihHg6CYVCi2xM2n2xSfb7ely0bvI NGU1QxU1bb1o5eNUTQTyO
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CA76E2F.7010009@caucho.com>
Date: Sat, 02 Oct 2010 10:38:55 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Bjoern Hoehrmann <derhoermi@gmx.net>
References: <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <4m0da6tid6vvj7e71t1jdqe5hju62nk0ra@hive.bjoern.hoehrmann.de>
In-Reply-To: <4m0da6tid6vvj7e71t1jdqe5hju62nk0ra@hive.bjoern.hoehrmann.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Oct 2010 17:38:26 -0000
Bjoern Hoehrmann wrote: > I am not sure you understood Adam's point. Right now an attacker cannot > trick some person into opening a web page where the browser will then > open a TCP connection to a host and port of the attackers choosing and > have it send "WEBSOCKET ..." to it, and there may be environments and > protocols where that allows some form of attack. Since the attacker has > a good amount of control over the path that follows the verb, that's not > entirely impossible and should be considered if the group decides to use > a "WEBSOCKET" method. > Right, but that's balanced against the added value of enabling servers to identify and reject a websocket request quickly. The issue, of course, is that we're talking about different servers when evaluating the tradeoff. But I don't think Adam's point about the known problems with existing non-validating servers is a sufficient reason to weaken security for validating servers and future protocols. -- Scott
- [hybi] Handshake was: The WebSocket protocol issu… Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Gabriel Montenegro
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … John Tamplin
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Mike Belshe
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Alexander Voronin
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Simon Pieters
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Roderick Baier
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Simone Bordet
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Greg Wilkins
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … James Graham
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Bjoern Hoehrmann
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Hickson
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Ian Fette (イアンフェッティ)
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Scott Ferguson
- Re: [hybi] Handshake was: The WebSocket protocol … Adam Barth
- Re: [hybi] Handshake was: The WebSocket protocol … Eric Rescorla
- Re: [hybi] Handshake was: The WebSocket protocol … Maciej Stachowiak
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus
- Re: [hybi] Handshake was: The WebSocket protocol … Willy Tarreau
- Re: [hybi] Handshake was: The WebSocket protocol … Patrick McManus