W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2005

[whatwg] web-apps - TCPConnection

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 26 Oct 2005 18:17:54 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0510261812330.6813@dhalsim.dreamhost.com>
On Mon, 17 Oct 2005, Ted Goddard wrote:
> 
> Rather than invent another protocol, this seems like an
> excellent application for BEEP:
> 
> http://www.ietf.org/rfc/rfc3080.txt

Good lord, that protocol is FAR more complicated than it needs to be. And 
it doesn't address several of the security issues that are critical here, 
such as severly limiting what the initial packets can contain, and 
ensuring that the remote host is expecting a connection initiated by a Web 
page of the specified domain.


> Restricting connections to the originating host only has shown
> to be fairly effective so far, and it's quite easy to see how
> allowing arbitrary connections (no matter what port they are on)
> could be used to stage attacks on remote servers.  Are connections
> to arbitrary hosts worth the risk?

With the protocol as currently designed, connections can only be 
established to hosts that are expecting connections from the page's 
domain, which massively minimises the risk. (At the moment, it isn't 
possible to connect to remote hosts from other domains anyway, but I 
imagine we'll relax this in due course.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 October 2005 11:17:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:24 UTC