Re: [hybi] masking and wss / tls controllable
Eric Rescorla <ekr@rtfm.com> Tue, 25 January 2011 14:39 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A2733A67EB for <hybi@core3.amsl.com>; Tue, 25 Jan 2011 06:39:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.636
X-Spam-Level:
X-Spam-Status: No, score=-102.636 tagged_above=-999 required=5 tests=[AWL=0.341, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id va8ugztRGX88 for <hybi@core3.amsl.com>; Tue, 25 Jan 2011 06:39:47 -0800 (PST)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 1B06C3A67E7 for <hybi@ietf.org>; Tue, 25 Jan 2011 06:39:47 -0800 (PST)
Received: by gwb20 with SMTP id 20so2014962gwb.31 for <hybi@ietf.org>; Tue, 25 Jan 2011 06:42:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.90.91.20 with SMTP id o20mr60022agb.27.1295966564413; Tue, 25 Jan 2011 06:42:44 -0800 (PST)
Received: by 10.90.116.7 with HTTP; Tue, 25 Jan 2011 06:42:44 -0800 (PST)
In-Reply-To: <4D3E977C.7080103@warmcat.com>
References: <4D388CBD.4040708@ericsson.com> <AANLkTik_4q_r4jwqX8LMRriBpO6ZZDKMtqLF7s+e6Qy2@mail.gmail.com> <4D3D388A.3020803@ericsson.com> <AANLkTikxyYLgt1XWi9mZTg3MTHiG1cQWCy7sM10kPDop@mail.gmail.com> <4D3E8B4A.2040000@ericsson.com> <4D3E977C.7080103@warmcat.com>
Date: Tue, 25 Jan 2011 06:42:44 -0800
Message-ID: <AANLkTi==qAHGpgMk3uFpRnrawJRj0LuGqRzMm_gJ2ML2@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
To: andy@warmcat.com
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] masking and wss / tls controllable
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2011 14:39:48 -0000
On Tue, Jan 25, 2011 at 1:27 AM, Andy Green <andy@warmcat.com> wrote: > On 01/25/11 08:35, Somebody in the thread at some point said: > I hope the browser vendors will immediately disable SSL support by default > if so, until munging can be added to ssl: same as they did for ws://... I don't know what "ssl:" is. If you mean "https:", then no. Look, the same origin policy prohibits you sending arbitrary data plaintext to arbitrary locations and then reading back the results. This applies whether you are doing that over HTTPS or over HTTP. WebSockets relaxes that constraint on a consensual basis but in return adds new security features (the consent handshake + masking). I'm simply stating that merely using TLS does not do an adequate job of masking, i.e., not even as good as the 32-bit moving mask. This isn't a concern with ordinary HTTPS for the same reason that it's not a concern with HTTP: same origin policy. However, that doesn't apply here. -Ekr
- Re: [hybi] consensus result on Straw Poll: Maskin… Dave Cridland
- [hybi] consensus result on Straw Poll: Masking op… Salvatore Loreto
- Re: [hybi] consensus result on Straw Poll: Maskin… John Tamplin
- Re: [hybi] consensus result on Straw Poll: Maskin… Maciej Stachowiak
- Re: [hybi] consensus result on Straw Poll: Maskin… Salvatore Loreto
- Re: [hybi] consensus result on Straw Poll: Maskin… SM
- Re: [hybi] consensus result on Straw Poll: Maskin… Adam Barth
- Re: [hybi] consensus result on Straw Poll: Maskin… S Moonesamy
- Re: [hybi] consensus result on Straw Poll: Maskin… Adam Barth
- Re: [hybi] consensus result on Straw Poll: Maskin… S Moonesamy
- Re: [hybi] consensus result on Straw Poll: Maskin… Bjoern Hoehrmann
- Re: [hybi] consensus result on Straw Poll: Maskin… Greg Wilkins
- Re: [hybi] consensus result on Straw Poll: Maskin… Greg Wilkins
- [hybi] masking and wss (was Re: consensus result … Salvatore Loreto
- Re: [hybi] masking and wss (was Re: consensus res… Dave Cridland
- Re: [hybi] masking and wss (was Re: consensus res… Eric Rescorla
- Re: [hybi] masking and wss (was Re: consensus res… Dave Cridland
- Re: [hybi] masking and wss (was Re: consensus res… Salvatore Loreto
- Re: [hybi] masking and wss / tls controllable Andy Green
- Re: [hybi] masking and wss / tls controllable Maciej Stachowiak
- Re: [hybi] masking and wss / tls controllable Andy Green
- Re: [hybi] masking and wss / tls controllable Maciej Stachowiak
- Re: [hybi] masking and wss / tls controllable Andy Green
- Re: [hybi] masking and wss (was Re: consensus res… Eric Rescorla
- Re: [hybi] masking and wss / tls controllable Eric Rescorla
- Re: [hybi] masking and wss / tls controllable Andy Green
- Re: [hybi] masking and wss (was Re: consensus res… Dave Cridland
- Re: [hybi] masking and wss (was Re: consensus res… Patrick McManus
- Re: [hybi] masking and wss (was Re: consensus res… Andy Green
- Re: [hybi] masking and wss (was Re: consensus res… Salvatore Loreto
- Re: [hybi] masking and wss / tls controllable Eric Rescorla
- Re: [hybi] masking and wss (was Re: consensus res… Eric Rescorla
- Re: [hybi] masking and wss / tls controllable Andy Green