Closed ssmithup closed 11 years ago
tailhook
commented
11 years ago Masking is not for security (encryption), its there theoretically to work better with proxies (to deny several kinds of attacks for cache poisoning).
Anyway, having non-masked traffic is not supported by RFC 6455. If you are talking server-to-server (all browsers use masking anyway), you can use mask of all zeros.
ssmithup
commented
11 years ago Oh thanks, I didn't realize that! I'll add masking to our library.
On Wed, Dec 19, 2012 at 2:16 AM, Paul Colomiets notifications@github.comwrote:
Masking is not for security (encryption), its there theoretically to work better with proxies (to deny several kinds of attacks for cache poisoning).
Anyway, having non-masked traffic is not supported by RFC 6455. If you are talking server-to-server (all browsers use masking anyway), you can use mask of all zeros.
— Reply to this email directly or view it on GitHubhttps://github.com/tailhook/libwebsite/issues/5#issuecomment-11524795.
I'm not sure why masked messages exist (doesn't seem to provide any real security, if you care that much use SSL), but regardless libwebsite doesn't work with unmasked messages.
The solution is pretty easy; you can pretend like the mask is 0, or simply skip the unmask step. I implemented a combination of the two which worked well enough (setting mask = NULL if !has_mask, but then if you have a partial message set websocket_partial_mask = 0).