Re: [hybi] Why not just use ssh?
"Shelby Moore" <shelby@coolpage.com> Thu, 02 September 2010 02:00 UTC
Return-Path: <shelby@coolpage.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A7A6B3A68B5 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 19:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.046
X-Spam-Level:
X-Spam-Status: No, score=-1.046 tagged_above=-999 required=5 tests=[AWL=-1.047, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F5kBwSaHdA9p for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 19:00:11 -0700 (PDT)
Received: from www3.webmail.pair.com (www3.webmail.pair.com [66.39.3.34]) by core3.amsl.com (Postfix) with SMTP id 945943A68AE for <hybi@ietf.org>; Wed, 1 Sep 2010 19:00:11 -0700 (PDT)
Received: (qmail 7457 invoked by uid 65534); 2 Sep 2010 02:00:40 -0000
Received: from 121.97.54.174 ([121.97.54.174]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Wed, 1 Sep 2010 22:00:40 -0400
Message-ID: <6d54227421d725429c6e29be4bc29117.squirrel@sm.webmail.pair.com>
Date: Wed, 01 Sep 2010 22:00:40 -0400
From: Shelby Moore <shelby@coolpage.com>
To: hybi@ietf.org
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [hybi] Why not just use ssh?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 02:00:12 -0000
Why do we think cross-protocol a security hole, and then we think WebSocket protocol is not a security hole? If there exists protocols which enable certain risky features, such as sending email (SMTP), what absolute assurance do we have there won't be some poorly programmed WebSocket servers which expose similar risky features? Should we block WebSockets too? I think the logic necessarily follows that if we are compelled to block cross-protocol, then we are also compelled to block WebSocket. Lets just block everything, shut down the internet, that would definity be secure. This is an example of the failure directed castle security model (insanity) I described: http://www.ietf.org/mail-archive/web/hybi/current/msg03915.html Why can't we focus on real security as I described: http://www.ietf.org/mail-archive/web/http-state/current/msg00939.html P.S. If same origin policy (SOP) is the protection against vulnerable WebSocket servers, then it would also be for vulernable protocols.
- Re: [hybi] Why not just use ssh? Shelby Moore
- Re: [hybi] Why not just use ssh? Shelby Moore
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? John Tamplin
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? John Tamplin
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Adam Barth
- Re: [hybi] Why not just use ssh? Eric Rescorla
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Willy Tarreau
- Re: [hybi] Why not just use ssh? Gabriel Montenegro
- Re: [hybi] Why not just use ssh? Shelby Moore