Re: [xmpp] See-other-uri and insecure web sockets

Ben Campbell <ben@nostrum.com> Wed, 23 April 2014 19:07 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D7461A048F for <xmpp@ietfa.amsl.com>; Wed, 23 Apr 2014 12:07:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30saUAU6Q8cX for <xmpp@ietfa.amsl.com>; Wed, 23 Apr 2014 12:07:23 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5311A048A for <xmpp@ietf.org>; Wed, 23 Apr 2014 12:07:23 -0700 (PDT)
Received: from [10.0.1.29] (cpe-173-172-146-58.tx.res.rr.com [173.172.146.58]) (authenticated bits=0) by nostrum.com (8.14.8/8.14.7) with ESMTP id s3NJ7FUK005354 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 23 Apr 2014 14:07:16 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-173-172-146-58.tx.res.rr.com [173.172.146.58] claimed to be [10.0.1.29]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <5316813E.3020901@stpeter.im>
Date: Wed, 23 Apr 2014 14:07:15 -0500
X-Mao-Original-Outgoing-Id: 419972835.744379-031281be9c9374ed99cd96753370c387
Content-Transfer-Encoding: quoted-printable
Message-Id: <460F5B58-D3B6-4BF2-8382-0FB59F3ED102@nostrum.com>
References: <E72F7F55-02DE-449E-A68C-BA8B18DAE975@vidyo.com> <CAOb_Fnzw_dw3V5W2U5M6ch2k5d=HmpUdjBYbJJQSpkWKH=V+1w@mail.gmail.com> <5316813E.3020901@stpeter.im>
To: Peter Saint-Andre <stpeter@stpeter.im>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/xmpp/ZaA2qWK6Aob4m-v9RqorPWN3W1I
Cc: Jonathan Lennox <jonathan@vidyo.com>, "xmpp@ietf.org" <xmpp@ietf.org>
Subject: Re: [xmpp] See-other-uri and insecure web sockets
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 19:07:28 -0000

Peter, Kevin, and Jonathan,

In your opinions, is this sufficiently addressed in the current version of the draft?

Thanks!

Ben.


On Mar 4, 2014, at 7:43 PM, Peter Saint-Andre <stpeter@stpeter.im> wrote:

> On 3/4/14, 4:44 PM, Kevin Smith wrote:
>> On Tue, Mar 4, 2014 at 3:31 PM, Jonathan Lennox <jonathan@vidyo.com> wrote:
>>> As requested -- I reviewed the text forbidding see-other-uri downgrading in the current version of draft-ietf-xmpp-websocket, and I'm happy with it.
>>> 
>>> What I was responding to at the mic was a comment that StPeter made during his presentation, suggesting that in addition, a future version of the draft would recommend that see-other-uri received over an insecure (ws or http) connection should be ignored.
>> 
>> It feels to me like there are potentially auth mechanism downgrade
>> attacks associated here, if people were to do the Wrong Thing. So I
>> think at least a note is worthwhile.
>> 
>> The document does, though, tell everyone to do wss, so this is
>> arguably not an issue.
> 
> Personally I see no harm in a bit of text that reinforces the point.
> 
> Peter
> 
> 
> _______________________________________________
> xmpp mailing list
> xmpp@ietf.org
> https://www.ietf.org/mailman/listinfo/xmpp