Re: [hybi] Call for interest: multiplexing dedicated for WebSocket

Roberto Peon <fenix@google.com> Mon, 03 June 2013 18:15 UTC

Return-Path: <fenix@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F26C21F85E0 for <hybi@ietfa.amsl.com>; Mon, 3 Jun 2013 11:15:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yBBW25Y+o3sm for <hybi@ietfa.amsl.com>; Mon, 3 Jun 2013 11:14:53 -0700 (PDT)
Received: from mail-lb0-f175.google.com (mail-lb0-f175.google.com [209.85.217.175]) by ietfa.amsl.com (Postfix) with ESMTP id DA52321E805E for <hybi@ietf.org>; Mon, 3 Jun 2013 11:12:51 -0700 (PDT)
Received: by mail-lb0-f175.google.com with SMTP id v10so4141717lbd.34 for <hybi@ietf.org>; Mon, 03 Jun 2013 11:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1u25UEkk4bDmOY+mH3dt1HH2mXCpyx4x+zHaGbYQkJ8=; b=Vs5oW/AlOP+mvbmEzO+UoW+3LTCegYWFkWgndkyNlntWmsv71qzHkfnUFRJxMvL2WN dsx2oHI8/A701ByDOyjLK2YW7vmmhgubQpysaiMl31G2yC4HVkG3Cj5Gwdlm3A/rNUlC q+G9Q55fsRrFwe5rEKls3O1sq+zKPBYU0HJFDUJbIWmQwAqpav1onDLL8085lDI7UgvY LVHaUaAfxtTFMoh4duFtYwcdtvQVCPRPF7yT7YdflO1eb24NtmJ3gzpdFJK3jgx+iUi2 xzhkYCkiwjqLmT9+8rMGsSzE6WgLUSfZtrcgfJLzBOwLMEUk0TuN2IQqLXYOA5lXzjPI P6Yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=1u25UEkk4bDmOY+mH3dt1HH2mXCpyx4x+zHaGbYQkJ8=; b=nDGvYnS/lSmEB6HkOM42SHgBZUNKnCzBNptYCxghOet9CYqfp4uhNg/pd2x9wRAsBe cHzL4SPW9JJOKd3XEBkznaTXV9DdO5zTIig3MQCeJpjh0z/rgYQbJ45wC53+jh2ten8E AXiuaE5XoiH6nfrFWsHnzQ/FGO4J64HryTK5btScohWW8aId3aYMlyszPWTSEoDJ9BHQ 7A7qiFmrHjKOWJbR1Q6B0d1WnH7l8QRv5rhlanwnl8COkuIW78795JFLQ8iLF4zg15oU YlK3ztKqFfsl9r4PsEDLJp0D63eG4rkhy+ptlrzMBFbkDQ6SHafxhvaWngQe9HmPXZri 5rSw==
MIME-Version: 1.0
X-Received: by 10.112.148.104 with SMTP id tr8mr11478831lbb.56.1370283170726; Mon, 03 Jun 2013 11:12:50 -0700 (PDT)
Received: by 10.112.76.231 with HTTP; Mon, 3 Jun 2013 11:12:50 -0700 (PDT)
In-Reply-To: <51A85EF9.3010907@tavendo.de>
References: <CAH9hSJZxr+aG7GZa4f-dUOTGj4bnJ+3XxivUX4jei5CMyqN4LQ@mail.gmail.com> <634914A010D0B943A035D226786325D4422C319646@EXVMBX020-12.exch020.serverdata.net> <CAH9hSJYrrbSM3TTSKCQ=AMcwCfE4zqNAa1kuAvecrXZTLqy2gQ@mail.gmail.com> <634914A010D0B943A035D226786325D4422C3DA774@EXVMBX020-12.exch020.serverdata.net> <CAHixhFrTk79A07BjQCgvep_+bmA4rGG1ZvqmoS6gsQYNPyPoZA@mail.gmail.com> <CAH9hSJYFa+bqN=e7x87W+Xvq-st70nbzUXniQaPme2fzspCjWA@mail.gmail.com> <51A70DF9.5010601@tavendo.de> <CAGzyod6daSOvAVHU6B=Qr0xDqNca_8iXrFYr0gTGdqZPryFFpA@mail.gmail.com> <51A85EF9.3010907@tavendo.de>
Date: Mon, 3 Jun 2013 11:12:50 -0700
Message-ID: <CAGzyod5Et6c2GoH2zSevLgz+v8PxvKusQBqb1rHD83pp+Xzvpg@mail.gmail.com>
From: Roberto Peon <fenix@google.com>
To: Tobias Oberstein <tobias.oberstein@tavendo.de>
Content-Type: multipart/alternative; boundary=047d7b3a8300a21ffe04de43e96f
X-Gm-Message-State: ALoCoQk0ZVJkqaiiw/LWAJuvhIBya1ey9aYvGDotPBikHOc9rkpDoIrZI3KULRVPHgwhQXXiVssugitDZgi6j6PGV6Hcve1ovW/bGKORFqw3M+fQ/jD0qforYox+i0OoHP7gpPeryQT55WU7BSTFVf8MhJoyLkp0Ii/Im3eM2awpjLQKE4O74aM+UhurD2WsK0689h39gRri
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Call for interest: multiplexing dedicated for WebSocket
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2013 18:15:07 -0000

Well, more precisely, the compression context must be shared between
material sourced by the attacker and also for the purpose of using the
site, and the context must be probe-able in some reasonable amount of time.
A gzip context which was reused between messages would be a no-no, for
instance. Another compression context (which makes probing difficult) might
be acceptable.

-=R


On Fri, May 31, 2013 at 1:27 AM, Tobias Oberstein <
tobias.oberstein@tavendo.de> wrote:

> The way CRIME works is to have a 3rd party include links to the
>> site-to-attack. Thus it doesn't matter if the schemes are http, https,
>> ws, wss, whatever.
>>
>
> Does above refer to the general requirement for CRIME: the attacker must
> be able to inject data into the source material before it is compressed and
> then encrypted?
>
> If so, how would that be possible with WebSocket and the proposed
> WebSocket per-message compression?
>
>
> random thoughts:
>
> a)
> permessage-deflate only compresses WS data messages, not control frames.
>
> So the attacker would need to inject data into the app-level payload.
>
> The only way to send app-level payload in browsers if via the JavaScript
> WebSocket API (socket.send()).
>
> So the attacker would need to somehow modify this JS code. However, the
> origin of the JS running is (at least with browsers) sent during the WS
> opening handshake as a HTTP header, and a WS server can check and decline
> an incoming connection.
>
> b)
> With WS HTTP headers are only sent _once_: during the initial WS opening
> handshake, and by the client to the server.
>
> CRIME requires repeated injection of attacker data.
>
> More so: permessage-deflate does not touch the opening handshake, which
> remains uncompressed.
>
> Side Q: Do browsers reuse an established TLS/TCP connection for multiple
> WS connections?
>
> /Tobias
>
>