IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Willy Tarreau <w@1wt.eu> Fri, 01 October 2010 05:30 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0F67A3A6E2D for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 22:30:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.737
X-Spam-Level:
X-Spam-Status: No, score=-2.737 tagged_above=-999 required=5 tests=[AWL=-0.694, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PlHCxrzDrN64 for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 22:29:59 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 3B93C3A6C8A for <hybi@ietf.org>; Thu, 30 Sep 2010 22:29:57 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o915Uf4O022395; Fri, 1 Oct 2010 07:30:41 +0200
Date: Fri, 01 Oct 2010 07:30:41 +0200
From: Willy Tarreau <w@1wt.eu>
To: Adam Barth <ietf@adambarth.com>
Message-ID: <20101001053041.GG18673@1wt.eu>
References: <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <AANLkTi=YTYsbYLiqiPdoJN=yxkWyMmEM5GT4VZbJTFwO@mail.gmail.com> <AANLkTim5d0TMJ=Z4_-eFNDw8ajyYmfx6V=UwS1Jya4Zq@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTim5d0TMJ=Z4_-eFNDw8ajyYmfx6V=UwS1Jya4Zq@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 05:30:00 -0000

Adam,

I agreed with almost all what you said except that :

On Thu, Sep 30, 2010 at 09:04:50PM -0700, Adam Barth wrote:
> Well, once I get past the handshake, WebSockets gives me an almost
> unrestricted TCP connection to the target server.  If we weren't
> worried about what an attacker could do with unrestricted TCP
> connections to a server, we wouldn't need a handshake in the first
> place.

It's not an "almost unrestricted TCP connection to the target server",
but rather an "almost unlimited bidirectional connection to the
target application". You need the other end to speak WS frames, even
if you have to trick it for this. But you won't use that connection
for SSH for instance.

Willy

v2.23.0 | Report a Bug | By Email