[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hybi] Redesigning the Web Socket handshake


On Feb 2, 2010, at 9:22 PM, Maciej Stachowiak wrote:

There are many possible variants, but here is an example of what the handshake request and response could look like (the hash used here is MD5; we could use a weaker hash that is faster to compute however):

Handshake from the client:

       GET /demo HTTP/1.1
       Upgrade: WebSocket
       Connection: Upgrade
       Host: example.com
       Origin: http://example.com
       WebSocket-Protocol: sample
       WebSocket-Nonce: 2d1283cf01e0e9f562989f0781450e7e

Response from the server:

       HTTP/1.1 101 Web Socket Protocol Handshake
       Upgrade: WebSocket
       Connection: Upgrade
       WebSocket-Origin: http://example.com
       WebSocket-Location: ws://example.com/demo
       WebSocket-Protocol: sample
       WebSocket-Nonce-Hash: 8ba7ca1e53376d29842e88d0f9db6978

The status line must come first, but order and capitalization of all request and response headers would be free. If we wanted to, we could even allow the status line to use any HTTP version.

A possible variant would be to include the nonce hash in the status line instead of in a header. But I think header is probably better.

I asked a security expert to review this and he had two suggestions:

1) Include the nonce hash in the status line. The strongest protection against cross-protocol attacks comes in the first few bytes, according to him, so it should be as early as possible.

2) The hash should also include the request origin and some fixed WebSocket-specific string (e.g. "WebSocket::"). (He actually suggested 'HMAC the string "Web
Socket::" and origin of WebSocket request using the nonce as a key' but I'm not sure if he was serious.)

Here is an example of the server response with the hash in the status line, and it is actually the MD5 hash of "WebSocket::<ORIGIN> <NONCE>" (i.e. "WebSocket::http://example.com 2d1283cf01e0e9f562989f0781450e7e").

       HTTP/1.1 101 Web Socket Protocol Handshake 2daff5fe4d1295d48697c3f1f4ab9538
       Upgrade: WebSocket
       Connection: Upgrade
       WebSocket-Origin: http://example.com
       WebSocket-Location: ws://example.com/demo
       WebSocket-Protocol: sample

Regards,
Maciej

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.