A key part of the WebSocket protocol is the initial handshake that establishes a connection.
This handshake involves doing a GET request with Connection: Upgrade, sixteen random bytes encoded by BASE64 from the client which are intended to check the connection and desynchronize intermediaries. The server computes a hash of the nonce and replies with it.
Draft: http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-05
See FAQ before posting question and proposal to the mailing list. Your point may be already well discussed.
This handshake involves doing a GET request with Connection: Upgrade, followed by eight random bytes from the client which are intended to check the connection and desynchronize intermediaries. Idiosyncratic way of passing a client nonce. The server computes a hash of the nonce and replies with it.
Draft: http://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-03
This handshake involes doing a GET request with Connection: Upgrade, followed by an exchange of special HELLO frames containing nonces between the server and the client. Also reduces quirkiness relative to the original proposal.
http://tools.ietf.org/html/draft-montenegro-hybi-upgrade-hello-handshake
Three major changes relative to the current WG draft: (1) use the CONNECT method instead of GET with Upgrade headers; do not show the true host in the usual HTTP places, instead use a special "websocket.invalid" host; mask the payload using a key computed from client and server nonces. Claimed to have strong, provable security properties against cross-protocol attacks.
https://svn.tools.ietf.org/html/draft-abarth-websocket-handshake-00
Ian Fette's variant that drops payload masking and a few other details from the Eric+Adam proposal,
http://www.ietf.org/mail-archive/web/hybi/current/msg05014.html
Uses GET+Upgrade, followed by a CONNECT to attempt to desynchronize intercepting proxies that are affected by it.
http://tools.ietf.org/html/draft-cridland-hybi-upgrade-connect-00
Hixie 75 is the first version adopted by several browser vendors for their initial WebSocket implementation. HyBi 00 is the successor implemented by many browser vendors.
Huang, E. Y. Chen, A. Barth, E. Rescorla, and C. Jackson "Transparent Proxies: Threat or Menace?" http://www.adambarth.com/experimental/websocket.pdf
The content of this page was last updated on 2011-02-25. It was migrated from the old Trac wiki on 2023-01-21.