W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > September 2011

Re: HTTP, websockets, and redirects

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 1 Sep 2011 10:38:59 -0700
Message-ID: <CAJE5ia-oNLns0ttNCW+LNzQs0O1SbUV8tmDdyfVLiQ6ZtaBqXw@mail.gmail.com>
To: Rich Tibbett <richt@opera.com>
Cc: Brian Raymor <Brian.Raymor@microsoft.com>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>, WebApps WG <public-webapps@w3.org>
On Thu, Sep 1, 2011 at 4:53 AM, Rich Tibbett <richt@opera.com> wrote:
> Adam Barth wrote:
>>
>> Generally speaking, browsers have been moving away from triggering
>> authentication dialogs for subresource loads because they are more
>> often used for phishing than for legitimate purposes.  A WebSocket
>> connection is much like a subresource load.
>
> Couldn't we only allow digest-based 401/407 authentication for subresource
> loads so an attacker cannot simply obtain unencrypted credentials?

Unfortunately, digest isn't robust against phishing.

Adam


> The latest WebSocket protocol spec [1] says:
>
> "This protocol doesn't prescribe any particular way that servers can
> authenticate clients during the WebSocket handshake.  The WebSocket server
> can use any client authentication mechanism available to a generic HTTP
> server, such as Cookies, HTTP Authentication, TLS authentication."
>
> Without HTTP Auth and the difficulty/performance issues of doing TLS auth in
> pure JavaScript it seems we are left with a cookie-only authentication
> option.
>
> Disabling support for Basic HTTP Authentication but still ticking the box
> for HTTP auth, with the added benefit that all such HTTP auth will be
> encrypted, seems like a win-win here.
>
> - Rich
>
> [1]
> http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-13#page-54
>
>>
>>
>> On Wed, Aug 10, 2011 at 9:36 PM, Brian Raymor
>> <Brian.Raymor@microsoft.com>  wrote:
>>>
>>> What is the rationale for also failing the websocket connection when a
>>> response for authentication is received such as:
>>>
>>> 401 Unauthorized
>>> 407 Proxy Authentication Required
>>>
>
Received on Thursday, 1 September 2011 17:40:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 September 2011 17:40:09 GMT