[Cryptography] WebSocket masking under TLS?

[Jerry Leichter]

> Putting aside for now that the 32-bit-XOR mask would be susceptible to a
> known-plaintext attack given that most WebSocket request payloads would start with the same JSON structure, I'm curious as to what possible reasoning did they have when still wanting to mask over TLS (again, from 5.1):
> 
>    "masking is done whether or not the WebSocket Protocol is running over TLS".
You have to look at the details of the attack.  The attack involves a client talking to a hostile server through an (innocent) caching proxy.  It server sends back data that will get incorrectly cached and then returned to both this client, and perhaps subsequent ones.

To be effective as a WebSocket-level cache, the proxy would have to terminate the TLS session.  So protection between client and proxy (and even between proxy and server) would be ineffective:  This is an attack on the semantics of the WebSocket layer, which would be exposed at the proxy.

Known plaintext is not relevant here since all three of the participants have access to the actual session and know what the plaintext really is - they don't need to guess it.

Granted, it's a kind of ugly fix - but the attack is an interesting example of the non-composability of security assertions.
                                                        -- Jerry