Skip to main content

Early Review of draft-ietf-hybi-thewebsocketprotocol-

Request Review of draft-ietf-hybi-thewebsocketprotocol
Requested revision No specific revision (document currently at 17)
Type Early Review
Team Security Area Directorate (secdir)
Deadline 2011-08-14
Requested 2011-08-01
Authors Alexey Melnikov , Ian Fette
I-D last updated 2011-08-14
Completed reviews Secdir Early review of -?? by Kathleen Moriarty
Tsvdir Early review of -?? by Magnus Westerlund
Assignment Reviewer Kathleen Moriarty
State Completed
Request Early review on draft-ietf-hybi-thewebsocketprotocol by Security Area Directorate Assigned
Completed 2011-08-14
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Description: The WebSocket protocol consists of an opening
   handshake followed by basic message framing, layered over TCP.  The
   goal of this technology is to provide a mechanism for browser-based
   applications that need two-way communication with servers that does
   not rely on opening multiple HTTP connections (e.g. using
   XMLHttpRequest or <iframe>s and long polling).

This document is ready once the security considerations identified in the
Gen-ART review are addressed.

Note: The Gen-ART review covered some security and protocol semantics already,
thank you Richard.  Richard identified some subtle security issues and
developed the "masking" concept in the draft.  It looks like his review from
Gen-ART is also on version 10, so I am not certain if his considerations were
addressed fully yet.

There are a few 'catch all' paragraphs in the security section to enforce the
need for secure coding - making sure the server only accepts what it is
supposed to accept (but just at a high level).  They also hit upon the use of
proxies and what can happen in the middle.

Best regards,