[Development] websockets (was RE: Qt 5.3 Feature freeze is coming quite soon...)
Koehne Kai
Kai.Koehne at digia.com
Mon Jan 27 09:06:37 CET 2014
> -----Original Message-----
> From: development-bounces+kai.koehne=digia.com at qt-project.org
[...]
> 2. When sending data from client to server (not the other way) The client
> generates a 32-bit random number.
> This random number is stored in plain text in the header of each frame.
> The data is XOR-ed with that 32-bit random number.
>
> The server takes the 32-bit random number from the header and XORs it
> with the payload to get to the original data.
>
> I really fail to see what the intention is of this mechanism. I really fail to see
> what could make this communication 'secure'.
Not that I'm into this, but the attack vector that this tries to prevent is described in section 10.3:
http://tools.ietf.org/html/rfc6455#section-10.3
So, the entropy basically ensures that malfunctioning proxy servers do not cache the content ...
Regards
Kai
More information about the Development
mailing list