IETF Logo Mail Archive

Re: [hybi] masking and wss / tls controllable

Eric Rescorla <ekr@rtfm.com> Tue, 25 January 2011 14:39 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A2733A67EB for <hybi@core3.amsl.com>; Tue, 25 Jan 2011 06:39:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.636
X-Spam-Level:
X-Spam-Status: No, score=-102.636 tagged_above=-999 required=5 tests=[AWL=0.341, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id va8ugztRGX88 for <hybi@core3.amsl.com>; Tue, 25 Jan 2011 06:39:47 -0800 (PST)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 1B06C3A67E7 for <hybi@ietf.org>; Tue, 25 Jan 2011 06:39:47 -0800 (PST)
Received: by gwb20 with SMTP id 20so2014962gwb.31 for <hybi@ietf.org>; Tue, 25 Jan 2011 06:42:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.90.91.20 with SMTP id o20mr60022agb.27.1295966564413; Tue, 25 Jan 2011 06:42:44 -0800 (PST)
Received: by 10.90.116.7 with HTTP; Tue, 25 Jan 2011 06:42:44 -0800 (PST)
In-Reply-To: <4D3E977C.7080103@warmcat.com>
References: <4D388CBD.4040708@ericsson.com> <AANLkTik_4q_r4jwqX8LMRriBpO6ZZDKMtqLF7s+e6Qy2@mail.gmail.com> <4D3D388A.3020803@ericsson.com> <AANLkTikxyYLgt1XWi9mZTg3MTHiG1cQWCy7sM10kPDop@mail.gmail.com> <4D3E8B4A.2040000@ericsson.com> <4D3E977C.7080103@warmcat.com>
Date: Tue, 25 Jan 2011 06:42:44 -0800
Message-ID: <AANLkTi==qAHGpgMk3uFpRnrawJRj0LuGqRzMm_gJ2ML2@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: andy@warmcat.com
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] masking and wss / tls controllable
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2011 14:39:48 -0000

On Tue, Jan 25, 2011 at 1:27 AM, Andy Green <andy@warmcat.com> wrote:
> On 01/25/11 08:35, Somebody in the thread at some point said:
> I hope the browser vendors will immediately disable SSL support by default
> if so, until munging can be added to ssl: same as they did for ws://...

I don't know what "ssl:" is.

If you mean "https:", then no.

Look, the same origin policy prohibits you sending arbitrary data
plaintext to arbitrary
locations and then reading back the results. This applies whether you
are doing that
over HTTPS or over HTTP. WebSockets relaxes that constraint on a consensual
basis but in return adds new security features (the consent handshake
+ masking).
I'm simply stating that merely using TLS does not do an adequate job of masking,
i.e., not even as good as the 32-bit moving mask.

This isn't a concern with ordinary HTTPS for the same reason that it's
not a concern
with HTTP: same origin policy. However, that doesn't apply here.

-Ekr

v2.23.0 | Report a Bug | By Email