IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Willy Tarreau <w@1wt.eu> Tue, 28 September 2010 05:32 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 97CFF3A6C42 for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 22:32:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.761
X-Spam-Level:
X-Spam-Status: No, score=-2.761 tagged_above=-999 required=5 tests=[AWL=-0.718, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2kRsyAeHWqi for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 22:32:18 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 5BA0F3A6C41 for <hybi@ietf.org>; Mon, 27 Sep 2010 22:32:18 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o8S5WtiX027025; Tue, 28 Sep 2010 07:32:55 +0200
Date: Tue, 28 Sep 2010 07:32:55 +0200
From: Willy Tarreau <w@1wt.eu>
To: Maciej Stachowiak <mjs@apple.com>
Message-ID: <20100928053255.GE12373@1wt.eu>
References: <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <AANLkTinACqm-GxUPhvFMf6_sGfeJofwy1r=28o=vgM43@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com>
User-Agent: Mutt/1.4.2.3i
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 05:32:19 -0000

On Mon, Sep 27, 2010 at 10:28:31PM -0700, Maciej Stachowiak wrote:
> > I really think that if we can get a clean WS-based handshake, we can
> > get rid of the Sec-* headers, as the WS handshake will validate a much
> > more serious part of the protocol than the HTTP headers with their
> > tricks.
> 
> If we go with an HTTP-based handshake at all, we have to keep something in the original HTTP request that browser-hosted HTTP clients are assumed unable to send. Otherwise we'll significantly increase the risk of HTTP-vs-WebSocket cross-protocol attacks.

The client is as much unable to send "Upgrade: Websocket" as it is to
send "Sec-*". Either the client code controls all headers or it controls
none.

Regards,
Willy

v2.23.0 | Report a Bug | By Email