Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross protocol attacks #35

Closed
martinthomson opened this issue Feb 20, 2013 · 1 comment
Closed

Cross protocol attacks #35

martinthomson opened this issue Feb 20, 2013 · 1 comment
Labels
design security upgrade

Comments

@martinthomson
Copy link
Collaborator

@martinthomson martinthomson commented Feb 20, 2013

We need to re-consider the section on cross protocol attacks. The statement that is made is no longer true. The final answer will depend on the outcome of #1.

RFC 6455, section 10.3 cites the following paper:

[TALKING] Huang, L-S., Chen, E., Barth, A., Rescorla, E., and C.
Jackson, "Talking to Yourself for Fun and Profit", 2010,
http://w2spconf.com/2011/papers/websocket.pdf.

This attack ultimately lead to thewebsocketsprotocol adopting a masking scheme. This needs to be considered.
@mnot
Copy link
Member

@mnot mnot commented Jun 13, 2013

Discussed in SF Interim; feeling is that intermediaries that are this broken should be fixed, not worked around (as it's a problem with their implementation whatever we do).

Suggest bringing up in HTTPbis work if not there already, since this is more about 1.1 than 2.0.

@mnot mnot closed this Jun 13, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
design security upgrade
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@martinthomson @mnot