Re: Hello from Mozilla

From: Robert Collins <robertc_at_robertcollins.net>
Date: Thu, 30 Jul 2009 09:58:26 +1000

On Wed, 2009-07-15 at 00:51 +0000, Ian Hickson wrote:
>
> If there are any bytes allowed from the client or the server before
> the
> handshake starts, then it is no longer secure. The idea is to make
> sure
> you can't smuggle though payloads from other protocols, since
> otherwise
> you could use WebSocket to connect to services that aren't expecting
> it.

Then don't use port 80!

If you use port 80 you must expect the following:
 - many users will be unable to connect directly to your service
 - many users will think they are connecting directly to your service
but will not actually be doing so

AIUI websockets is:
 * TCP +
 * authentication

I don't really see this having *anything* to do with HTTP.

Perhaps I'm missing something fundamental, but as it stands, I think it
would be more robust, and more secure to say:
Websockets is on IANA port XXXX
the authentication handshake for a websocket server is YYYY
after that its a bidirectional stream of octects just like TCP
If a browser needs to get through a firewall to connect to the websocket
server, we recommend the use of a SOCKS proxy an HTTP proxy supporting
the CONNECT method.

What drives the desire to live on port 80?

-Rob

Received on Wed Jul 29 2009 - 23:58:34 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 30 2009 - 12:00:09 MDT