[whatwg] web-apps - TCPConnection

Wed Oct 26 11:17:54 PDT 2005

On Mon, 17 Oct 2005, Ted Goddard wrote:
> 
> Rather than invent another protocol, this seems like an
> excellent application for BEEP:
> 
> http://www.ietf.org/rfc/rfc3080.txt

Good lord, that protocol is FAR more complicated than it needs to be. And 
it doesn't address several of the security issues that are critical here, 
such as severly limiting what the initial packets can contain, and 
ensuring that the remote host is expecting a connection initiated by a Web 
page of the specified domain.

> Restricting connections to the originating host only has shown
> to be fairly effective so far, and it's quite easy to see how
> allowing arbitrary connections (no matter what port they are on)
> could be used to stage attacks on remote servers.  Are connections
> to arbitrary hosts worth the risk?

With the protocol as currently designed, connections can only be 
established to hosts that are expecting connections from the page's 
domain, which massively minimises the risk. (At the moment, it isn't 
possible to connect to remote hosts from other domains anyway, but I 
imagine we'll relax this in due course.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'