Early Review of draft-ietf-hybi-thewebsocketprotocol-
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
Description: The WebSocket protocol consists of an opening
handshake followed by basic message framing, layered over TCP. The
goal of this technology is to provide a mechanism for browser-based
applications that need two-way communication with servers that does
not rely on opening multiple HTTP connections (e.g. using
XMLHttpRequest or <iframe>s and long polling).
This document is ready once the security considerations identified in the Gen-ART review are addressed.
Note: The Gen-ART review covered some security and protocol semantics already, thank you Richard. Richard identified some subtle security issues and developed the "masking" concept in the draft. It looks like his review from Gen-ART is also on version 10, so I am not certain if his considerations were addressed fully yet.
There are a few 'catch all' paragraphs in the security section to enforce the need for secure coding - making sure the server only accepts what it is supposed to accept (but just at a high level). They also hit upon the use of proxies and what can happen in the middle.