Early Review of draft-ietf-hybi-thewebsocketprotocol-
review-ietf-hybi-thewebsocketprotocol-secdir-early-moriarty-2011-08-14-00

Team Security Area Directorate (secdir)
Title Early Review of draft-ietf-hybi-thewebsocketprotocol-
Request Early - requested 2011-08-01
Reviewer Kathleen Moriarty
Posted at http://www.ietf.org/mail-archive/web/secdir/current/msg02835.html
Last updated 2011-08-14

Review
review-ietf-hybi-thewebsocketprotocol-secdir-early-moriarty-2011-08-14

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Description: The WebSocket protocol consists of an opening
   handshake followed by basic message framing, layered over TCP.  The
   goal of this technology is to provide a mechanism for browser-based
   applications that need two-way communication with servers that does
   not rely on opening multiple HTTP connections (e.g. using
   XMLHttpRequest or <iframe>s and long polling).


This document is ready once the security considerations identified in the Gen-ART review are addressed.

Note: The Gen-ART review covered some security and protocol semantics already, thank you Richard.  Richard identified some subtle security issues and developed the "masking" concept in the draft.  It looks like his review from Gen-ART is also on version 10, so I am not certain if his considerations were addressed fully yet.

There are a few 'catch all' paragraphs in the security section to enforce the need for secure coding - making sure the server only accepts what it is supposed to accept (but just at a high level).  They also hit upon the use of proxies and what can happen in the middle.


Best regards,
Kathleen