Re: [xmpp] See-other-uri and insecure web sockets

Peter Saint-Andre <stpeter@stpeter.im> Wed, 05 March 2014 01:43 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 468101A0107 for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 17:43:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2JjwFlSRY73 for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 17:43:32 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id DE3C71A00FD for <xmpp@ietf.org>; Tue, 4 Mar 2014 17:43:31 -0800 (PST)
Received: from aither.local (unknown [86.176.103.76]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 0AD7F403C4; Tue, 4 Mar 2014 18:43:27 -0700 (MST)
Message-ID: <5316813E.3020901@stpeter.im>
Date: Wed, 05 Mar 2014 01:43:26 +0000
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: kevin@kismith.co.uk, Jonathan Lennox <jonathan@vidyo.com>
References: <E72F7F55-02DE-449E-A68C-BA8B18DAE975@vidyo.com> <CAOb_Fnzw_dw3V5W2U5M6ch2k5d=HmpUdjBYbJJQSpkWKH=V+1w@mail.gmail.com>
In-Reply-To: <CAOb_Fnzw_dw3V5W2U5M6ch2k5d=HmpUdjBYbJJQSpkWKH=V+1w@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/xmpp/D-RVsXjbUoLA5CwTMY9p3NQdzNo
Cc: "xmpp@ietf.org" <xmpp@ietf.org>
Subject: Re: [xmpp] See-other-uri and insecure web sockets
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 01:43:33 -0000

On 3/4/14, 4:44 PM, Kevin Smith wrote:
> On Tue, Mar 4, 2014 at 3:31 PM, Jonathan Lennox <jonathan@vidyo.com> wrote:
>> As requested -- I reviewed the text forbidding see-other-uri downgrading in the current version of draft-ietf-xmpp-websocket, and I'm happy with it.
>>
>> What I was responding to at the mic was a comment that StPeter made during his presentation, suggesting that in addition, a future version of the draft would recommend that see-other-uri received over an insecure (ws or http) connection should be ignored.
>
> It feels to me like there are potentially auth mechanism downgrade
> attacks associated here, if people were to do the Wrong Thing. So I
> think at least a note is worthwhile.
>
> The document does, though, tell everyone to do wss, so this is
> arguably not an issue.

Personally I see no harm in a bit of text that reinforces the point.

Peter