[xmpp] See-other-uri and insecure web sockets

Jonathan Lennox <jonathan@vidyo.com> Tue, 04 March 2014 15:31 UTC

Return-Path: <jonathan@vidyo.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B4B61A0134 for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 07:31:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x3HlIPTxTh7t for <xmpp@ietfa.amsl.com>; Tue, 4 Mar 2014 07:31:26 -0800 (PST)
Received: from server209.appriver.com (server209e.appriver.com [8.31.233.120]) by ietfa.amsl.com (Postfix) with ESMTP id CC9BA1A0085 for <xmpp@ietf.org>; Tue, 4 Mar 2014 07:31:25 -0800 (PST)
X-Note-AR-ScanTimeLocal: 3/4/2014 10:31:22 AM
X-Policy: GLOBAL - vidyo.com
X-Primary: jonathan@vidyo.com
X-Note: This Email was scanned by AppRiver SecureTide
X-Virus-Scan: V-
X-Note-SnifferID: 0
X-Note: TCH-CT/SI:0-90/SG:2 3/4/2014 10:31:15 AM
X-GBUdb-Analysis: 0, 162.209.16.213, Ugly c=0.886315 p=-0.983444 Source White
X-Signature-Violations: 0-0-0-2561-c
X-Note-419: 15.6003 ms. Fail:0 Chk:1345 of 1345 total
X-Note: SCH-CT/SI:0-1345/SG:1 3/4/2014 10:31:18 AM
X-Note: Spam Tests Failed:
X-Country-Path: ->UNITED STATES->LOCAL
X-Note-Sending-IP: 162.209.16.213
X-Note-Reverse-DNS: mail1.vidyo.com
X-Note-Return-Path: jonathan@vidyo.com
X-Note: User Rule Hits:
X-Note: Global Rule Hits: G327 G328 G329 G330 G334 G335 G445
X-Note: Encrypt Rule Hits:
X-Note: Mail Class: VALID
X-Note: Headers Injected
Received: from [162.209.16.213] (HELO mail.vidyo.com) by server209.appriver.com (CommuniGate Pro SMTP 6.0.8) with ESMTPS id 77109719 for xmpp@ietf.org; Tue, 04 Mar 2014 10:31:21 -0500
Received: from 492133-EXCH2.vidyo.com ([fe80::50:56ff:fe85:6b62]) by 492132-EXCH1.vidyo.com ([fe80::50:56ff:fe85:4f77%13]) with mapi id 14.03.0146.000; Tue, 4 Mar 2014 09:31:21 -0600
From: Jonathan Lennox <jonathan@vidyo.com>
To: "xmpp@ietf.org" <xmpp@ietf.org>
Thread-Topic: See-other-uri and insecure web sockets
Thread-Index: AQHPN77LcHY6vVtde0udKwxOfVd74A==
Date: Tue, 4 Mar 2014 15:31:20 +0000
Message-ID: <E72F7F55-02DE-449E-A68C-BA8B18DAE975@vidyo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [31.133.187.226]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <072AADE4CEFC0A4FAF55D4B4CDE77544@vidyo.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/xmpp/tR-O2jDTkH9WjDCqLjaijR42tRQ
Subject: [xmpp] See-other-uri and insecure web sockets
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 15:31:34 -0000

As requested — I reviewed the text forbidding see-other-uri downgrading in the current version of draft-ietf-xmpp-websocket, and I’m happy with it.

What I was responding to at the mic was a comment that StPeter made during his presentation, suggesting that in addition, a future version of the draft would recommend that see-other-uri received over an insecure (ws or http) connection should be ignored.

I think this is a bad idea — I don’t see any reason why see-other-uri should be any less trusted than anything else received over an insecure connection.  And indeed, I think that most servers (if they have a ws listener at all) would want to respond to insecure XMPP connections by sending a see-other-uri pointing at their wss uri!