Re: [hybi] Handshake was: The WebSocket protocol issues.

[Bjoern Hoehrmann <derhoermi@gmx.net>]

* Scott Ferguson wrote:
>Adam Barth wrote:
>> As a side note, using an exotic HTTP method is not a good idea.  The
>> first few bytes of the clients initial message are absolutely
>> critical.  Picking an exotic HTTP method is just rolling the dice
>> w.r.t. what protocols an attacker can exploit.  For example, some
>> attacks from HTTP to DNS rely critically on the fact that the first
>> byte of an HTTP POST message is an uppercase P.  The kinds of things
>> you can do with an uppercase W as the first byte are largely
>> unstudied.
>
>You misunderstand entirely.
>
>It's not an exotic HTTP method; it's identifying the protocol by the 
>initial sequence of bytes.
>
>If every client for every protocol sent a non-hijackable unique protocol 
>identifier as its initial sequence, and every server for every protocol 
>verified the protocol identifier before accepting any further bytes, 
>then cross protocol attacks would be impossible.
>
>We can't fix the older protocols that don't identify themselves 
>immediately and don't validate, but we can ensure that new protocols do.

I am not sure you understood Adam's point. Right now an attacker cannot
trick some person into opening a web page where the browser will then
open a TCP connection to a host and port of the attackers choosing and
have it send "WEBSOCKET ..." to it, and there may be environments and
protocols where that allows some form of attack. Since the attacker has
a good amount of control over the path that follows the verb, that's not
entirely impossible and should be considered if the group decides to use
a "WEBSOCKET" method.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/