IETF Logo Mail Archive

Re: [hybi] Insight you need to know: Browsers are at fault when servers crash

Willy Tarreau <w@1wt.eu> Mon, 26 July 2010 09:56 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE0A33A6836 for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 02:56:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.879
X-Spam-Level:
X-Spam-Status: No, score=-2.879 tagged_above=-999 required=5 tests=[AWL=-0.836, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Mrr0Kbf4ZQ2 for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 02:56:49 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 874C23A67EE for <hybi@ietf.org>; Mon, 26 Jul 2010 02:56:48 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o6Q9v4X2008327; Mon, 26 Jul 2010 11:57:04 +0200
Date: Mon, 26 Jul 2010 11:57:04 +0200
From: Willy Tarreau <w@1wt.eu>
To: Maciej Stachowiak <mjs@apple.com>
Message-ID: <20100726095704.GC8029@1wt.eu>
References: <AANLkTilfxps1wWjFrwrH_3Js6Q9E331AMKFRNHfeHcdL@mail.gmail.com> <AANLkTi=vPAnnK0=gE=YN10vt9b-f6sWXXcwK+La5SriO@mail.gmail.com> <623C6D70-B4AF-49EC-BA07-6F90BD0FFFBF@apple.com> <AANLkTi=Q-PVrdaWuOu3H=wUiphe6JB4C+LauSOXKozoY@mail.gmail.com> <AANLkTi=Z-Zw3gJAdwQMAqG5UUVnV_kgsGm3M_qQ2Bwt7@mail.gmail.com> <8B47440C-7CFD-442F-94E3-96A8EBE7D25D@apple.com> <AANLkTimRo_ubic96z3VgwexiOw0KJg10HQedmcuBs6jp@mail.gmail.com> <FA3856A4-FF29-430E-8BE4-3049F1E33A03@apple.com> <AANLkTim14YJgikfeU9k84xMqtcFt0cdqJQZcsNmvt-Eo@mail.gmail.com> <1453160A-6353-4720-88BA-43D17038B4A7@apple.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1453160A-6353-4720-88BA-43D17038B4A7@apple.com>
User-Agent: Mutt/1.4.2.3i
Cc: hybi@ietf.org
Subject: Re: [hybi] Insight you need to know: Browsers are at fault when servers crash
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 09:56:49 -0000

On Mon, Jul 26, 2010 at 02:45:44AM -0700, Maciej Stachowiak wrote:
> > You can also this this idea at the end
> > of an HTTP-like handshake to get started sending data without waiting
> > for the server to reply.
> 
> Doesn't this second design make WebSocket services potentially vulnerable to cross-protocol attacks from HTTP? It's easy for the HTTP attacker to make up a key and encrypt the attack payload with it, unless the server has to prove it understands WebSocket based on part of the handshake that the in-browser HTTP attacker can't control before it is allowed to process messages.

In my opinion, if the protocol relies on a real HTTP handshake, what
it will get from an attacker's browser will be a real HTTP request
that it will be able to proceed with. We must keep in mind that WS
servers will be exposed to the net, so while browser-based attacks
can be massive (and imply we should be able to protect against), it
does not mean that the server must end up in an unexpected state.

Also, from what I understood, on a normal browser, the attacker has
no control over the headers. If the key is sent in such headers, an
attacker should not be able to direct browsers at WS servers as those
ones will reject the request as invalid.

Regards,
Willy

v2.23.0 | Report a Bug | By Email