[secdir] Review of draft-ietf-hybi-thewebsocketprotocol-10
<kathleen.moriarty@emc.com> Tue, 09 August 2011 13:43 UTC
Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76B8B21F8A7B for <secdir@ietfa.amsl.com>; Tue, 9 Aug 2011 06:43:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYn+p-vpT6lv for <secdir@ietfa.amsl.com>; Tue, 9 Aug 2011 06:43:39 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id D510B21F8A62 for <secdir@ietf.org>; Tue, 9 Aug 2011 06:43:38 -0700 (PDT)
Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p79Di3Pn011147 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Aug 2011 09:44:04 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd04.lss.emc.com [10.254.222.226]) by hop04-l1d11-si03.isus.emc.com (RSA Interceptor); Tue, 9 Aug 2011 09:40:51 -0400
Received: from mxhub18.corp.emc.com (mxhub18.corp.emc.com [10.254.93.47]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id p79DejYK009416; Tue, 9 Aug 2011 09:40:50 -0400
Received: from mx06a.corp.emc.com ([169.254.1.199]) by mxhub18.corp.emc.com ([10.254.93.47]) with mapi; Tue, 9 Aug 2011 09:40:49 -0400
From: kathleen.moriarty@emc.com
To: secdir@ietf.org, draft-ietf-hybi-thewebsocketprotocol.all@tools.ietf.org
Date: Tue, 09 Aug 2011 09:40:48 -0400
Thread-Topic: Review of draft-ietf-hybi-thewebsocketprotocol-10
Thread-Index: AcxWmfJhGmz5s5NJRjOvSfjSk3FwEA==
Message-ID: <AE31510960917D478171C79369B660FA0E05485F1E@MX06A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: ifette+ietf@google.com
Subject: [secdir] Review of draft-ietf-hybi-thewebsocketprotocol-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2011 13:43:39 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Description: The WebSocket protocol consists of an opening handshake followed by basic message framing, layered over TCP. The goal of this technology is to provide a mechanism for browser-based applications that need two-way communication with servers that does not rely on opening multiple HTTP connections (e.g. using XMLHttpRequest or <iframe>s and long polling). This document is ready once the security considerations identified in the Gen-ART review are addressed. Note: The Gen-ART review covered some security and protocol semantics already, thank you Richard. Richard identified some subtle security issues and developed the "masking" concept in the draft. It looks like his review from Gen-ART is also on version 10, so I am not certain if his considerations were addressed fully yet. There are a few 'catch all' paragraphs in the security section to enforce the need for secure coding - making sure the server only accepts what it is supposed to accept (but just at a high level). They also hit upon the use of proxies and what can happen in the middle. Best regards, Kathleen
- [secdir] Review of draft-ietf-hybi-thewebsocketpr… kathleen.moriarty
- Re: [secdir] Review of draft-ietf-hybi-thewebsock… Alexey Melnikov