On Wed, 2009-07-15 at 00:51 +0000, Ian Hickson wrote: > > If there are any bytes allowed from the client or the server before > the > handshake starts, then it is no longer secure. The idea is to make > sure > you can't smuggle though payloads from other protocols, since > otherwise > you could use WebSocket to connect to services that aren't expecting > it.
Then don't use port 80! If you use port 80 you must expect the following: - many users will be unable to connect directly to your service - many users will think they are connecting directly to your service but will not actually be doing so AIUI websockets is: * TCP + * authentication I don't really see this having *anything* to do with HTTP. Perhaps I'm missing something fundamental, but as it stands, I think it would be more robust, and more secure to say: Websockets is on IANA port XXXX the authentication handshake for a websocket server is YYYY after that its a bidirectional stream of octects just like TCP If a browser needs to get through a firewall to connect to the websocket server, we recommend the use of a SOCKS proxy an HTTP proxy supporting the CONNECT method. What drives the desire to live on port 80? -Rob
signature.asc
Description: This is a digitally signed message part
