seabeyond 2011 processone - eric cestari: xmpp over websocket
DESCRIPTION
TRANSCRIPT
XMPP over WebSocketEric Cestari [email protected]@cstar
jeudi 3 février 2011
WebSocket =
Web + Socket =
recipe for AWESOME ?
jeudi 3 février 2011
WebSocket
Message oriented
Two way connection between browser and server
No more Comet, long-polling, Ajax push, BOSH, hidden iframes
Pros: Less load on serverbetter latencyless effort for the client (battery life increases)
Cons:not ubiquitoussecurity issues
jeudi 3 février 2011
A simple Javascript API
new Websocket(url)ws.send()ws.close()
and callbacksws.onopenws.onclosews.onmessage
jeudi 3 février 2011
Normalized by IETF ...
... since forever (first mail on the hybi mailing list: 30 March 2009)
Three drafts implemented :draft-hixie -68 by Chrome (Dec 2009)draft-hixie -75 by Chrome and Safari (Feb 2010)draft-hixie -76 (May 10) by Safari 5.0.4, Chrome 6, Opera 10.70 and early Firefox 4 betas
jeudi 3 février 2011
Current issues
Fear of cross-protocol attacks.
Possible transparent proxy cache poisoning discovered by A. Barth and E. Rescorla with currently implemented draft.
WebSocket support disabled in Opera and latest Firefox betas by default
jeudi 3 février 2011
WS support everywhere !
Flash to the rescue
web-socket-js opensource projecthttps://github.com/gimite/web-socket-js
But: slower than native implementationwith TLS support, file weighs 180Kb (20Kb without)It’s Flash, dammit!
jeudi 3 février 2011
Handshakes and messages
Handshake: Make sure server understands websocket
Messages: bi-directional frames
Current state (-04)Handshake is GET + Upgrade headers with NonceMessages are masked from client to server
jeudi 3 février 2011
XMPP sub-protocol
IETF draft by Jack Moffit and Eric Cestari
One message = one stanza = one XML documentWith exceptions for stream start and stream end.
No TLS socket upgrade for encryptionTLS negociation is done on socket opening (wss://host:port/)
jeudi 3 février 2011
Client and server support
Support in ejabberd 2.2.x
Support StropheJS websocket support
and prototype code for JSJaC
Not released ... yet!
jeudi 3 février 2011
New product: GitLive!
Visualize GitHub pushes in realtime from Github repositories
http://gitlive.com/
http://gitlive.com/demo.html
Already used on the ejabberd and Tsung homepage
Use it on your own project!
jeudi 3 février 2011
References
Hybi WG mailing listhttps://www.ietf.org/mailman/listinfo/hybi
Transparent proxies: Threat or menaces ?http://www.adambarth.com/experimental/websocket.pdf
An XMPP sub-protocol for Websocketshttp://tools.ietf.org/html/draft-moffitt-xmpp-over-websocket-00
jeudi 3 février 2011