Howdy All Rodger is correct. If a WebSocket client sends non-masked data , a conforming server MUST fail the connection. A simple random four characters are chosen during the construction of a message and used to flip the bits in each character of the message and then flipped back at the other end. This prevents the crafting of an ordered set of bytes that could trick a server in between. Trying to craft a set of 4 mask bytes to make a faulty message work is not going to work either, because of the mathematical relation of bits, bytes and characters.
The latest draft of the specification is at version (14) , released Sep 8th,2011 and can be found at http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-14 If folks want to yack about websockets , I do have a forum on my site, and one could goto the AsterClick section. Read the signup form carefully or you'll be mistaken for a SPAMBOT. --Doc On 09/09/2011 02:56 AM, Roger F. Gay wrote: > The solution to that problem that is now defined in the websocket standard is > discussed in section 10.3 of the standard. In short, it is to "mask all data > from the client to the server, so > that the remote script (attacker) does not have control over how the data > being sent appears on the wire, and thus cannot construct a message that > could be misinterpreted by an intermediary as an HTTP request." > > Refer to the standard itself if you want more detail: > http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-14#section-10.3 > > > > > ________________________________ > Från: Mark T<[email protected]> > Till: [email protected] > Skickat: fredag, 9 september 2011 9:21 > Ämne: Re: SV: [svg-developers] Websockets, explained > > > > Last I knew of the webSockets security issue it was a specification-level > vuln. > In that intermediate caches could be poisoned. > Such that traffic could be re-directed or intercepted. > Have not tracked it close enough to be more specific. > I find eJabberd + strophe a working technique. > Difference is likely to be if sending messages, then xmpp. > Sending raw data, webSockets.<<-----------??? > > MarkT ------------------------------------ ----- To unsubscribe send a message to: [email protected] -or- visit http://groups.yahoo.com/group/svg-developers and click "edit my membership" ----Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/svg-developers/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/svg-developers/join (Yahoo! ID required) <*> To change settings via email: [email protected] [email protected] <*> To unsubscribe from this group, send an email to: [email protected] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
