IETF Logo Mail Archive

Re: [hybi] New port and Tunneling?

"Shelby Moore" <shelby@coolpage.com> Wed, 18 August 2010 08:39 UTC

Return-Path: <shelby@coolpage.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 18E783A690A for <hybi@core3.amsl.com>; Wed, 18 Aug 2010 01:39:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[AWL=0.713, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdcL0VmrPneV for <hybi@core3.amsl.com>; Wed, 18 Aug 2010 01:39:21 -0700 (PDT)
Received: from www5.webmail.pair.com (www5.webmail.pair.com [66.39.3.83]) by core3.amsl.com (Postfix) with SMTP id B40B63A6822 for <hybi@ietf.org>; Wed, 18 Aug 2010 01:39:20 -0700 (PDT)
Received: (qmail 17293 invoked by uid 65534); 18 Aug 2010 08:39:56 -0000
Received: from 121.97.54.174 ([121.97.54.174]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Wed, 18 Aug 2010 04:39:56 -0400
Message-ID: <0cb5d9e588152520acd2a14f117541d1.squirrel@sm.webmail.pair.com>
In-Reply-To: <7cb6a673e4e0a7c704691452c48f97a5.squirrel@sm.webmail.pair.com>
References: <9e3c9de9b6d6278aa26921f4b22963ad.squirrel@sm.webmail.pair.com> <b5f838a87561f318ae6c3958a058b057.squirrel@sm.webmail.pair.com> <657f148a719e31c1699dccfe3e6e63c4.squirrel@sm.webmail.pair.com> <AANLkTimV77PKU3pTAgfBMu5XvzKX7ovHdE6xBCh9o-dx@mail.gmail.com> <340466c936045003a3930a65610df597.squirrel@sm.webmail.pair.com> <AANLkTimyjqZtWaBsSrC1_udsYSMnnCPkLjYR8rq-Sn0p@mail.gmail.com> <7cb6a673e4e0a7c704691452c48f97a5.squirrel@sm.webmail.pair.com>
Date: Wed, 18 Aug 2010 04:39:56 -0400
From: Shelby Moore <shelby@coolpage.com>
To: shelby@coolpage.com
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: hybi@ietf.org
Subject: Re: [hybi] New port and Tunneling?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2010 08:39:22 -0000

> I will read it next, but quick reply to say:
>
> 1) Agreed, because if the browser has a bug that reveals my session id for
> AsiaDear.com, my security is broken.  I have to rely on the browser for
> persistance, but what I have done is made sure that only a bug in the
> browser can do it, not some other type of vulnerability.

"not some other type of vulnerability."

Or of course any attack in the network between client and server. Moving
to HTTPS would help.

Or of course if any of my client side code has a vulnerability, such as
injecting XSS.

Or of course if my server has a state-machine vulnerability.

etc...

In terms of the point below, once a site does mashups that are not framed,
it gets very difficult to not introduce vulnerability.  Crockford has
proposed <module> with JSON inter-frame communication:

http://json.org/module.html

>
> 2) Apologize for the tone of my prior email about your research paper.  I
> wasn't expecting that you would appreciate my points, but seems I wasn't
> patient enough (past experience sorry). Also if you are approaching this
> from a "what is practical in real world" perspective, I can understand why
> your research would be less "idealistic" than my points.  Nevertheless, I
> hope we can agree that it is a major win when we can be idealistic and
> achieve the isolation of #1 above.

v2.23.0 | Report a Bug | By Email