Early Review of draft-ietf-hybi-thewebsocketprotocol-
review-ietf-hybi-thewebsocketprotocol-secdir-early-moriarty-2011-08-14-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Description: The WebSocket protocol consists of an opening
   handshake followed by basic message framing, layered over TCP.  The
   goal of this technology is to provide a mechanism for browser-based
   applications that need two-way communication with servers that does
   not rely on opening multiple HTTP connections (e.g. using
   XMLHttpRequest or <iframe>s and long polling).

This document is ready once the security considerations identified in the
Gen-ART review are addressed.

Note: The Gen-ART review covered some security and protocol semantics already,
thank you Richard.  Richard identified some subtle security issues and
developed the "masking" concept in the draft.  It looks like his review from
Gen-ART is also on version 10, so I am not certain if his considerations were
addressed fully yet.

There are a few 'catch all' paragraphs in the security section to enforce the
need for secure coding - making sure the server only accepts what it is
supposed to accept (but just at a high level).  They also hit upon the use of
proxies and what can happen in the middle.

Best regards,
Kathleen