Cross protocol attacks #35

Closed
martinthomson opened this Issue Feb 20, 2013 · 1 comment

Comments

Projects
None yet
2 participants
Member

martinthomson commented Feb 20, 2013

We need to re-consider the section on cross protocol attacks. The statement that is made is no longer true. The final answer will depend on the outcome of #1.

RFC 6455, section 10.3 cites the following paper:

[TALKING] Huang, L-S., Chen, E., Barth, A., Rescorla, E., and C.
Jackson, "Talking to Yourself for Fun and Profit", 2010,
http://w2spconf.com/2011/papers/websocket.pdf.

This attack ultimately lead to thewebsocketsprotocol adopting a masking scheme. This needs to be considered.

Owner

mnot commented Jun 13, 2013

Discussed in SF Interim; feeling is that intermediaries that are this broken should be fixed, not worked around (as it's a problem with their implementation whatever we do).

Suggest bringing up in HTTPbis work if not there already, since this is more about 1.1 than 2.0.

mnot closed this Jun 13, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment