IETF Logo Mail Archive

Re: [hybi] Refinement of draft upgrade handshake

Greg Wilkins <gregw@webtide.com> Tue, 02 November 2010 01:40 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06B593A6AA5 for <hybi@core3.amsl.com>; Mon, 1 Nov 2010 18:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.056
X-Spam-Level:
X-Spam-Status: No, score=0.056 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FM_ASCII_ART_SPACINGc=0.833, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2, J_CHICKENPOX_14=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ManQbWj8HLlu for <hybi@core3.amsl.com>; Mon, 1 Nov 2010 18:39:50 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id CEFD43A6A9B for <hybi@ietf.org>; Mon, 1 Nov 2010 18:39:42 -0700 (PDT)
Received: by ywp6 with SMTP id 6so4069407ywp.31 for <hybi@ietf.org>; Mon, 01 Nov 2010 18:38:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.150.134.21 with SMTP id h21mr13849097ybd.174.1288661928291; Mon, 01 Nov 2010 18:38:48 -0700 (PDT)
Received: by 10.236.42.204 with HTTP; Mon, 1 Nov 2010 18:38:48 -0700 (PDT)
In-Reply-To: <AANLkTik-7+dNDf49aKjjLT0NxgeaKb5EQXWA4gPC0qUF@mail.gmail.com>
References: <AANLkTik-7+dNDf49aKjjLT0NxgeaKb5EQXWA4gPC0qUF@mail.gmail.com>
Date: Tue, 02 Nov 2010 12:38:48 +1100
Message-ID: <AANLkTiny9p=o3TXfA4aFC+tLZF5EObE8Z2EK1VwAhUDY@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: hybi <hybi@ietf.org>
Content-Type: multipart/mixed; boundary="000e0cd4821478b394049407fcf9"
Subject: Re: [hybi] Refinement of draft upgrade handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2010 01:40:16 -0000

Attached is an updated version of the -03 draft text and a context
diff of the changes that reflect the proposals expressed in this
thread for the refinement of the upgrade handshake.  Specifically:

A) Use WS Hello from the server and a WS Hello from the client WS
frames to transport hashed nonces (rather than unframed bytes). This
fixes the issue with intermediaries not forwarding the unframed bytes
on the wire and makes the handshake comply with the requirement to be
HTTP/1.1 compliant before the 101 response.

B) Include a server nonce in the server sent Hello, that the client
must hash and return in it's Hello.

C) Use a Hello frame type instead of ping/pong

D) Replace the char/space encoding of the client nonce with simple hex encoding.

E) Define tight restrictions on the punctuation that can be sent in ws
URLs and subprotocols (eg prohibit use of : ) so that they cannot be
used to inject headers.  While not as robust as encrypting the
handshakes, these restrictions will provide substantial protection
against user provided data being used as part of an attack.

F) Invert the framing MORE bit to be a FIN bit, so that WS control
frames will start with a non-ascii character

G) Change the "GET" to "WEBSOCKET" to allow admin authorization
control, and enable fast rejection.


regards

v2.23.0 | Report a Bug | By Email