Re: [xmpp] See-other-uri and insecure web sockets

Peter Saint-Andre <stpeter@stpeter.im> Wed, 05 March 2014 01:42 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F9111A0107 for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 17:42:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7yhTY1Io--g for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 17:42:52 -0800 (PST)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id A52841A00FD for <xmpp@ietf.org>; Tue, 4 Mar 2014 17:42:52 -0800 (PST)
Received: from aither.local (unknown [86.176.103.76]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 8A699403C4; Tue, 4 Mar 2014 18:42:48 -0700 (MST)
Message-ID: <53168116.7080107@stpeter.im>
Date: Wed, 05 Mar 2014 01:42:46 +0000
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Jonathan Lennox <jonathan@vidyo.com>, "kevin@kismith.co.uk" <kevin@kismith.co.uk>
References: <E72F7F55-02DE-449E-A68C-BA8B18DAE975@vidyo.com> <CAOb_Fnzw_dw3V5W2U5M6ch2k5d=HmpUdjBYbJJQSpkWKH=V+1w@mail.gmail.com> <C3B7485D-C58A-40C9-90EE-7A18B688CBBC@vidyo.com>
In-Reply-To: <C3B7485D-C58A-40C9-90EE-7A18B688CBBC@vidyo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/xmpp/kGjeQxE9NMaAk-i-iM_97jdkvBs
Cc: "xmpp@ietf.org" <xmpp@ietf.org>
Subject: Re: [xmpp] See-other-uri and insecure web sockets
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 01:42:54 -0000

On 3/4/14, 6:02 PM, Jonathan Lennox wrote:
>
> On Mar 4, 2014, at 4:44 PM, Kevin Smith <kevin@kismith.co.uk> wrote:
>
>>> I think this is a bad idea -- I don't see any reason why see-other-uri should be any less trusted than anything else received over an insecure connection.  And indeed, I think that most servers (if they have a ws listener at all) would want to respond to insecure XMPP connections by sending a see-other-uri pointing at their wss uri!
>>
>> I think this scenario is somewhat unlikely - in this case the
>> discovery would have pointed to was (either hard-coded or over 156 or
>> whatever).
>
> Well, you need to do *something* if someone tries to connect to <ws://websocketserver.example/xmpp-bind>, but I guess responding with 301 or 404 to the HTTP handshake, prior to protocol handover, would be better than switching to xmpp and then using see-other-uri.

Yes, I think that's the better approach - the earlier the better.

Peter