Re: [hybi] Redesigning the Web Socket handshake
Justin Erenkrantz <justin@erenkrantz.com> Tue, 02 February 2010 22:30 UTC
Return-Path: <justin.erenkrantz@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3AD3E28C10A for <hybi@core3.amsl.com>; Tue, 2 Feb 2010 14:30:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.985
X-Spam-Level:
X-Spam-Status: No, score=-1.985 tagged_above=-999 required=5 tests=[AWL=-0.008, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRStXUS9iuvr for <hybi@core3.amsl.com>; Tue, 2 Feb 2010 14:30:44 -0800 (PST)
Received: from mail-px0-f186.google.com (mail-px0-f186.google.com [209.85.216.186]) by core3.amsl.com (Postfix) with ESMTP id 64F3828C0E7 for <hybi@ietf.org>; Tue, 2 Feb 2010 14:30:44 -0800 (PST)
Received: by pxi16 with SMTP id 16so587596pxi.29 for <hybi@ietf.org>; Tue, 02 Feb 2010 14:31:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=c2lbitM0OJZuyHWKWI9tRG4iBbawTbMaeQhvqOytpYM=; b=mngpc/0TuJ2lrIY2YzsQXUFmMi/b1BDEz+xomzIP/1n/6UN7JYrIh+Fk9omivJ03TZ Na+G2VyQTCNy6nc6Wo2Uk5cvghClo5gQeUV1CA3LMG4OhRf6J+i0Meq3ybQUIt17RceO rxs2Caoz1BKxCsk5/3Kons9P28A3eLj7uFoCw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=YxbxWyCCUUSugT+VooAl9lhFjWeBPnu8vKpU/sqdS7kRi0rWq6RxifTr8mC9wjibue ZyKmfUJBz4aSiOEg4jE336EDMahEwammmZcp70azj1r+LKxgFr459VNKw87fXERa1eXB q+7eiI+HuJ0D5nTgix1vE4vdDoxIXv/72BD+E=
MIME-Version: 1.0
Sender: justin.erenkrantz@gmail.com
Received: by 10.143.153.33 with SMTP id f33mr4398833wfo.251.1265149881691; Tue, 02 Feb 2010 14:31:21 -0800 (PST)
In-Reply-To: <FD440FEA-9F53-4F4C-8AA5-98B23318F0F7@apple.com>
References: <Pine.LNX.4.64.1002012305000.21600@ps20323.dreamhostps.com> <4B676E8C.70804@webtide.com> <Pine.LNX.4.64.1002020311030.3846@ps20323.dreamhostps.com> <4B679E2C.2080502@webtide.com> <FD440FEA-9F53-4F4C-8AA5-98B23318F0F7@apple.com>
Date: Tue, 02 Feb 2010 14:31:21 -0800
X-Google-Sender-Auth: 6ffaccbf6e7e10e7
Message-ID: <5c902b9e1002021431w25768b2eu4e21244f080bed25@mail.gmail.com>
From: Justin Erenkrantz <justin@erenkrantz.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] Redesigning the Web Socket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2010 22:30:45 -0000
On Mon, Feb 1, 2010 at 7:50 PM, Maciej Stachowiak <mjs@apple.com> wrote: > I wish you could consider the nonce handshake proposal and report whether it addresses your concerns. Instead, you are just repeating your own suggestion. I listened to you and gave you feedback. I even made a proposal that tries to address the requirements you have identified. Can you please do me the same courtesy? > > Would it be helpful if I spelled out the nonce proposal in more detail and explained how it fixes security vulnerabilities in the current handshake, while also making it easier to integrate with existing servers? I admit both my explanation and Ian's later summary were somewhat roughly sketched out. Yes, I admit it'd be a bit helpful if the nonce proposal was little more concrete. I'm still not exactly clear what the security risks are (I know you tried to clarify a bit, but it didn't really hit what you were talking about) - to me, expecting a hard-code byte sequence just to do the initialization doesn't seem to add any real security benefits. I'm not quite sure what a nonce would add, but if I saw it at a slightly more concrete level, perhaps that'd trip the light bulb. I'm for pretty much anything which lets any conformant HTTP/1.1 server process the upgrade request (or a HTTP/1.1 client issue it!) and then hand-off to a new protocol upon completion of the HTTP/1.1 response. -- justin
- Re: [hybi] Redesigning the Web Socket handshake Greg Wilkins
- Re: [hybi] Redesigning the Web Socket handshake Justin Erenkrantz
- [hybi] Redesigning the Web Socket handshake Ian Hickson
- Re: [hybi] Redesigning the Web Socket handshake Greg Wilkins
- Re: [hybi] Redesigning the Web Socket handshake Ian Hickson
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Greg Wilkins
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Vladimir Katardjiev
- Re: [hybi] Redesigning the Web Socket handshake Francis Brosnan Blázquez
- Re: [hybi] Redesigning the Web Socket handshake Justin Erenkrantz
- Re: [hybi] Redesigning the Web Socket handshake Justin Erenkrantz
- Re: [hybi] Redesigning the Web Socket handshake Jamie Lokier
- Re: [hybi] Redesigning the Web Socket handshake Jamie Lokier
- Re: [hybi] Redesigning the Web Socket handshake Jamie Lokier
- Re: [hybi] Redesigning the Web Socket handshake Jamie Lokier
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Greg Wilkins
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Justin Erenkrantz
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Roberto Peon
- Re: [hybi] Redesigning the Web Socket handshake Justin Erenkrantz
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Justin Erenkrantz
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Jamie Lokier
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Jamie Lokier
- Re: [hybi] Redesigning the Web Socket handshake Martin J. Dürst
- Re: [hybi] Redesigning the Web Socket handshake Lars Eggert
- Re: [hybi] Redesigning the Web Socket handshake Maciej Stachowiak
- Re: [hybi] Redesigning the Web Socket handshake Martin J. Dürst