Re: [xmpp] See-other-uri and insecure web sockets

Jonathan Lennox <jonathan@vidyo.com> Tue, 04 March 2014 18:02 UTC

Return-Path: <jonathan@vidyo.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D96491A02C6 for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 10:02:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6Dl-4qLCnlQ for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 10:02:38 -0800 (PST)
Received: from server209.appriver.com (server209f.appriver.com [8.31.233.121]) by ietfa.amsl.com (Postfix) with ESMTP id 952171A02C4 for <xmpp@ietf.org>; Tue, 4 Mar 2014 10:02:38 -0800 (PST)
X-Note-AR-ScanTimeLocal: 3/4/2014 1:02:32 PM
X-Policy: GLOBAL - vidyo.com
X-Policy: GLOBAL - vidyo.com
X-Primary: jonathan@vidyo.com
X-Note: This Email was scanned by AppRiver SecureTide
X-Virus-Scan: V-
X-Note-SnifferID: 0
X-Note: TCH-CT/SI:0-64/SG:2 3/4/2014 1:02:22 PM
X-GBUdb-Analysis: 0, 162.209.16.213, Ugly c=0.934231 p=-0.986365 Source White
X-Signature-Violations: 0-0-0-2938-c
X-Note-419: 0 ms. Fail:0 Chk:1345 of 1345 total
X-Note: SCH-CT/SI:0-1345/SG:1 3/4/2014 1:02:26 PM
X-Note: Spam Tests Failed:
X-Country-Path: ->UNITED STATES->LOCAL
X-Note-Sending-IP: 162.209.16.213
X-Note-Reverse-DNS: mail1.vidyo.com
X-Note-Return-Path: jonathan@vidyo.com
X-Note: User Rule Hits:
X-Note: Global Rule Hits: G327 G328 G329 G330 G334 G335 G445
X-Note: Encrypt Rule Hits:
X-Note: Mail Class: VALID
X-Note: Headers Injected
Received: from [162.209.16.213] (HELO mail.vidyo.com) by server209.appriver.com (CommuniGate Pro SMTP 6.0.2) with ESMTPS id 103037478; Tue, 04 Mar 2014 13:02:32 -0500
Received: from 492133-EXCH2.vidyo.com ([fe80::50:56ff:fe85:6b62]) by 492132-EXCH1.vidyo.com ([fe80::50:56ff:fe85:4f77%13]) with mapi id 14.03.0146.000; Tue, 4 Mar 2014 12:02:31 -0600
From: Jonathan Lennox <jonathan@vidyo.com>
To: "kevin@kismith.co.uk" <kevin@kismith.co.uk>
Thread-Topic: [xmpp] See-other-uri and insecure web sockets
Thread-Index: AQHPN77LcHY6vVtde0udKwxOfVd74JrRhxsAgAAVyoA=
Date: Tue, 4 Mar 2014 18:02:30 +0000
Message-ID: <C3B7485D-C58A-40C9-90EE-7A18B688CBBC@vidyo.com>
References: <E72F7F55-02DE-449E-A68C-BA8B18DAE975@vidyo.com> <CAOb_Fnzw_dw3V5W2U5M6ch2k5d=HmpUdjBYbJJQSpkWKH=V+1w@mail.gmail.com>
In-Reply-To: <CAOb_Fnzw_dw3V5W2U5M6ch2k5d=HmpUdjBYbJJQSpkWKH=V+1w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [31.133.187.226]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <3431059EB382C34090BC0B0E37802FC1@vidyo.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/xmpp/6gYi31EEzUycHMapH-1ppJUf4cI
Cc: "xmpp@ietf.org" <xmpp@ietf.org>
Subject: Re: [xmpp] See-other-uri and insecure web sockets
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 18:02:41 -0000

On Mar 4, 2014, at 4:44 PM, Kevin Smith <kevin@kismith.co.uk> wrote:

>> I think this is a bad idea -- I don't see any reason why see-other-uri should be any less trusted than anything else received over an insecure connection.  And indeed, I think that most servers (if they have a ws listener at all) would want to respond to insecure XMPP connections by sending a see-other-uri pointing at their wss uri!
> 
> I think this scenario is somewhat unlikely - in this case the
> discovery would have pointed to was (either hard-coded or over 156 or
> whatever).

Well, you need to do *something* if someone tries to connect to <ws://websocketserver.example/xmpp-bind>, but I guess responding with 301 or 404 to the HTTP handshake, prior to protocol handover, would be better than switching to xmpp and then using see-other-uri.