Re: [secdir] Review of draft-ietf-hybi-thewebsocketprotocol-10

[Alexey Melnikov <alexey.melnikov@isode.com>]

Hi Kathleen,
Thank you for the review.
 
kathleen.moriarty@emc.com wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> Description: The WebSocket protocol consists of an opening
>    handshake followed by basic message framing, layered over TCP.  The
>    goal of this technology is to provide a mechanism for browser-based
>    applications that need two-way communication with servers that does
>    not rely on opening multiple HTTP connections (e.g. using
>    XMLHttpRequest or <iframe>s and long polling).
>
>
> This document is ready once the security considerations identified in the Gen-ART review are addressed.
>
> Note: The Gen-ART review covered some security and protocol semantics already, thank you Richard.  Richard identified some subtle security issues and developed the "masking" concept in the draft.  It looks like his review from Gen-ART is also on version 10, so I am not certain if his considerations were addressed fully yet.
>   
The purpose of masking will be clarified, hopefully in -11.

I think the WG either agreed to Richard's issues, or agreed to disagree. 
They were discussed in details in the HYBI WG meeting in Quebec.
> There are a few 'catch all' paragraphs in the security section to enforce the need for secure coding - making sure the server only accepts what it is supposed to accept (but just at a high level).  They also hit upon the use of proxies and what can happen in the middle.
>
>
> Best regards,
> Kathleen
>
>