Re: [RAI] [dispatch] MSRP Expert Review of draft-pd-dispatch-msrp-websocket-04

"Olle E. Johansson" <> Thu, 30 January 2014 09:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 139CF1A044E; Thu, 30 Jan 2014 01:26:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9ZlUmzFy2hvx; Thu, 30 Jan 2014 01:26:19 -0800 (PST)
Received: from ( [IPv6:2a02:920:212e::205]) by (Postfix) with ESMTP id 9475E1A03E9; Thu, 30 Jan 2014 01:26:15 -0800 (PST)
Received: from [] ( []) by (Postfix) with ESMTPA id E8C8793C2A1; Thu, 30 Jan 2014 09:26:11 +0000 (UTC)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: "Olle E. Johansson" <>
In-Reply-To: <>
Date: Thu, 30 Jan 2014 10:26:11 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: "Cullen Jennings (fluffy)" <>
X-Mailer: Apple Mail (2.1827)
Cc: Ben Campbell <>, DISPATCH <>, "" <>, "" <>, Peter Dunkley <>
Subject: Re: [RAI] [dispatch] MSRP Expert Review of draft-pd-dispatch-msrp-websocket-04
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Real-time Applications and Infrastructure \(RAI\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jan 2014 09:26:21 -0000

On 29 Jan 2014, at 19:11, Cullen Jennings (fluffy) <> wrote:

> On Jan 29, 2014, at 10:16 AM, Peter Dunkley <> wrote:
>> Even if TLS is left as MUST all of the additional checks from the RFC cannot be enforced on the client because (in a browser) you don't have any access to that information.
> So help educate me on what is missing and lets go get that fixed in web sockets. 

THis is interesting. If I parse the W3C WebSocket API specification correctly, the script is not allowed to know WHY a Websocket connection failed. It's just a big failure. I would like to understand why they made this choice.

I wonder if this mixes TLS authentication with TLS encryption. We are not allowed to set up an encrypted WS connection to a self-signed cert or in general a server with a cert signed by an unknown CA even if we want to.

I just did a quick check - someone else may know ways around this. (I hope).


User agents must not convey any failure information to scripts in a way that would allow a script to distinguish the following situations:

	• A server whose host name could not be resolved.
	• A server to which packets could not successfully be routed.
	• A server that refused the connection on the specified port.
	• A server that failed to correctly perform a TLS handshake (e.g., the server certificate can't be verified).
	• A server that did not complete the opening handshake (e.g. because it was not a WebSocket server).
	• A WebSocket server that sent a correct opening handshake, but that specified options that caused the client to drop the connection (e.g. the server specified a subprotocol that the client did not offer).
	• A WebSocket server that abruptly closed the connection after successfully completing the opening handshake.
In all of these cases, the the WebSocket connection close code would be 1006, as required by the WebSocket Protocol specification. [WSP]

Allowing a script to distinguish these cases would allow a script to probe the user's local network in preparation for an attack.