{"id":2438,"date":"2011-01-04T10:06:43","date_gmt":"2011-01-04T09:06:43","guid":{"rendered":"http:\/\/daniel.haxx.se\/blog\/?p=2438"},"modified":"2011-01-04T10:06:43","modified_gmt":"2011-01-04T09:06:43","slug":"websockets-now-handshake-and-masking","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2011\/01\/04\/websockets-now-handshake-and-masking\/","title":{"rendered":"WebSockets now: handshake and masking"},"content":{"rendered":"<p>In August 2010 I <a href=\"http:\/\/daniel.haxx.se\/blog\/2010\/08\/06\/websockets-right-now\/\">blogged about the WebSockets state<\/a> at the time. In some aspects nothing has changed, and in some other aspects a lot has changed. There&#8217;s still no WebSockets specification that approaches consensus (remember the\u00c2\u00a0<a href=\"http:\/\/www.ietf.org\/mail-archive\/web\/hybi\/current\/msg02468.html\">4 weeks plan from July<\/a>?).<\/p>\n<h2>Handshaking this or that way<\/h2>\n<p>We&#8217;ve been reading an endless debate through the last couple of months on how the handshake should be made and how to avoid that stupid\u00c2\u00a0intermediaries\u00c2\u00a0might get tricked by HTTP-looking websocket traffic. In the midst of that storm, a team of people posted the paper <a href=\"http:\/\/www.adambarth.com\/experimental\/websocket.pdf\">Transparent Proxies: Threat or Menace?<\/a> which argued that HTTP+Upgrade would be insecure and that CONNECT should be used (<a href=\"http:\/\/ietfreport.isoc.org\/idref\/draft-abarth-websocket-handshake\/\">Abarth&#8217;s early draft of the CONNECT handshake<\/a>).<\/p>\n<p><a href=\"http:\/\/www.ietf.org\/mail-archive\/web\/hybi\/current\/msg04849.html\">CONNECT to the server is not kosher HTTP<\/a> and is not being appreciated by several people &#8211; CONNECT is meant to get sent to proxies and proxies are explicitly setup to a client.<\/p>\n<p>The idea to use a separate and dedicated port is of course brought up every now and then but is mostly not considered. Most people seem to want this protocol to go over the &#8220;web&#8221; ports 80 and 443 and thus to be able to share the proxy environment used for HTTP.<\/p>\n<p>Currently it seems as if we&#8217;re back to a HTTP+Upgrade handshake.<\/p>\n<h2>Masking the traffic<\/h2>\n<p>A lot of people also questioned the very binary outcome of the Transparet Proxies report mentioned above, and later on it seems the consensus that by &#8220;masking&#8221; WebSocket traffic it should be possible to avoid the risk that stupid intermediaries misinterpret the traffic as HTTP. The masking is currently being discussed to be XOR with a frame-specific key, so that a typical stream will change key multiple times but is still easy for a WebSocket-aware tool (say Wireshark and similar) to &#8220;demask&#8221; on purpose.<\/p>\n<p>The last few weeks have been spent on discussing how the masking is done, if it is to become optional and if the masking should include the framing or not.<\/p>\n<h2>This is an open process<\/h2>\n<p>I&#8217;m not sure I&#8217;ve stressed this properly before: IETF is an open organization. Anyone can join in and share their views and opinions, but of course you need to argue <em>technical<\/em> merits.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In August 2010 I blogged about the WebSockets state at the time. In some aspects nothing has changed, and in some other aspects a lot has changed. There&#8217;s still no WebSockets specification that approaches consensus (remember the\u00c2\u00a04 weeks plan from July?). Handshaking this or that way We&#8217;ve been reading an endless debate through the last &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2011\/01\/04\/websockets-now-handshake-and-masking\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">WebSockets now: handshake and masking<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,45],"tags":[230,426,287],"class_list":["post-2438","post","type-post","status-publish","format-standard","hentry","category-net","category-web","tag-http","tag-web","tag-websockets"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/2438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=2438"}],"version-history":[{"count":9,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/2438\/revisions"}],"predecessor-version":[{"id":2449,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/2438\/revisions\/2449"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=2438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=2438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=2438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}