Howdy All

Rodger is correct. If a WebSocket client sends non-masked data , a 
conforming server MUST
fail the connection. A simple random four characters are chosen during 
the construction of a message
and used to flip the bits in each character of the message and then 
flipped back at the other end.
This prevents the crafting of an ordered set of bytes that could trick a 
server in between.
Trying to craft a set of 4 mask bytes to make a faulty message work is 
not going to work
either, because of the mathematical relation of bits, bytes and characters.

The latest draft of the specification is at version (14) , released Sep 
8th,2011
and can be found at 
http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-14

If folks want to yack about websockets , I do have a forum on my site, 
and one
could goto the AsterClick section. Read the signup form carefully or 
you'll be mistaken for a SPAMBOT.

--Doc


On 09/09/2011 02:56 AM, Roger F. Gay wrote:
> The solution to that problem that is now defined in the websocket standard is 
> discussed in section 10.3 of the standard. In short, it is to "mask all data 
> from the client to the server, so
> that the remote script (attacker) does not have control over how the data 
> being sent appears on the wire, and thus cannot construct a message that 
> could be misinterpreted by an intermediary as an HTTP request."
>
> Refer to the standard itself if you want more detail: 
> http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-14#section-10.3
>
>
>
>
> ________________________________
> Från: Mark T<[email protected]>
> Till: [email protected]
> Skickat: fredag, 9 september 2011 9:21
> Ämne: Re: SV: [svg-developers] Websockets, explained
>
>
>   
> Last I knew of the webSockets security issue it was a specification-level
> vuln.
> In that intermediate caches could be poisoned.
> Such that traffic could be re-directed or intercepted.
> Have not tracked it close enough to be more specific.
> I find eJabberd + strophe a working technique.
> Difference is likely to be if sending messages, then xmpp.
> Sending raw data, webSockets.<<-----------???
>
> MarkT



------------------------------------

-----
To unsubscribe send a message to: [email protected]
-or-
visit http://groups.yahoo.com/group/svg-developers and click "edit my 
membership"
----Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/svg-developers/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/svg-developers/join
    (Yahoo! ID required)

<*> To change settings via email:
    [email protected] 
    [email protected]

<*> To unsubscribe from this group, send an email to:
    [email protected]

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/

Reply via email to