seabeyond 2011 processone - eric cestari: xmpp over websocket

XMPP over WebSocketEric Cestari [email protected]@cstar

jeudi 3 février 2011

mailto:[email protected]

mailto:[email protected]

WebSocket =

Web + Socket =

recipe for AWESOME ?


WebSocket

Message oriented

Two way connection between browser and server

No more Comet, long-polling, Ajax push, BOSH, hidden iframes

Pros: Less load on serverbetter latencyless effort for the client (battery life increases)

Cons:not ubiquitoussecurity issues


A simple Javascript API

new Websocket(url)ws.send()ws.close()

and callbacksws.onopenws.onclosews.onmessage


Normalized by IETF ...

... since forever (first mail on the hybi mailing list: 30 March 2009)

Three drafts implemented :draft-hixie -68 by Chrome (Dec 2009)draft-hixie -75 by Chrome and Safari (Feb 2010)draft-hixie -76 (May 10) by Safari 5.0.4, Chrome 6, Opera 10.70 and early Firefox 4 betas


Current issues

Fear of cross-protocol attacks.

Possible transparent proxy cache poisoning discovered by A. Barth and E. Rescorla with currently implemented draft.

WebSocket support disabled in Opera and latest Firefox betas by default


WS support everywhere !

Flash to the rescue

web-socket-js opensource projecthttps://github.com/gimite/web-socket-js

But: slower than native implementationwith TLS support, file weighs 180Kb (20Kb without)It’s Flash, dammit!


https://github.com/gimite/web-socket-js

https://github.com/gimite/web-socket-js

Handshakes and messages

Handshake: Make sure server understands websocket

Messages: bi-directional frames

Current state (-04)Handshake is GET + Upgrade headers with NonceMessages are masked from client to server


XMPP sub-protocol

IETF draft by Jack Moffit and Eric Cestari

One message = one stanza = one XML documentWith exceptions for stream start and stream end.

No TLS socket upgrade for encryptionTLS negociation is done on socket opening (wss://host:port/)


Client and server support

Support in ejabberd 2.2.x

Support StropheJS websocket support

and prototype code for JSJaC

Not released ... yet!


New product: GitLive!

Visualize GitHub pushes in realtime from Github repositories

http://gitlive.com/

http://gitlive.com/demo.html

Already used on the ejabberd and Tsung homepage

Use it on your own project!


http://gitlive.com

http://gitlive.com



References

Hybi WG mailing listhttps://www.ietf.org/mailman/listinfo/hybi

Transparent proxies: Threat or menaces ?http://www.adambarth.com/experimental/websocket.pdf

An XMPP sub-protocol for Websocketshttp://tools.ietf.org/html/draft-moffitt-xmpp-over-websocket-00


https://www.ietf.org/mailman/listinfo/hybi

https://www.ietf.org/mailman/listinfo/hybi

http://www.adambarth.com/experimental/websocket.pdf

http://www.adambarth.com/experimental/websocket.pdf

http://tools.ietf.org/html/draft-moffitt-xmpp-over-websocket-00

http://tools.ietf.org/html/draft-moffitt-xmpp-over-websocket-00

seabeyond 2011 processone - eric cestari: xmpp over websocket

Documents