IETF Logo Mail Archive

Re: [hybi] Web sockets and existing HTTP stacks

Vladimir Katardjiev <vladimir@d2dx.com> Wed, 03 February 2010 22:50 UTC

Return-Path: <vladimir@d2dx.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33BB43A67FB for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 14:50:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpHHVbOYaTwG for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 14:50:46 -0800 (PST)
Received: from homiemail-a14.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by core3.amsl.com (Postfix) with ESMTP id E99663A685D for <hybi@ietf.org>; Wed, 3 Feb 2010 14:50:45 -0800 (PST)
Received: from [192.168.0.103] (c-3ce6e055.321-1-64736c12.cust.bredbandsbolaget.se [85.224.230.60]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by homiemail-a14.g.dreamhost.com (Postfix) with ESMTPSA id 27C118C063; Wed, 3 Feb 2010 14:51:26 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/signed; boundary="Apple-Mail-1--832524428"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Vladimir Katardjiev <vladimir@d2dx.com>
In-Reply-To: <D8279D52-AE47-46F6-84DA-8E348116662A@apple.com>
Date: Wed, 03 Feb 2010 23:51:24 +0100
Message-Id: <ADFF563C-46E7-457D-86BE-6EFEB1F57AFD@d2dx.com>
References: <557ae280911171402v7546e5e7n93a1e57f87dc10e5@mail.gmail.com> <ad99d8ce1002012139l3b8f525bj9caf7861332f3d18@mail.gmail.com> <1427E183-FDBC-4854-9455-B93AB28DAB03@apple.com> <ad99d8ce1002012343n132169f8wbaacc1cf4efe2f87@mail.gmail.com> <31123817-6D3F-489D-9F48-109AC93E6769@apple.com> <ad99d8ce1002030000i566f3517qddf4e62f386c9211@mail.gmail.com> <4B692EDB.1060300@gmx.de> <E9DF7FE9-70F0-4268-8CEF-1007D71F9FBB@apple.com> <ad99d8ce1002030107i5994c847yf639b660dc64cdc9@mail.gmail.com> <7CB6EE56-B840-4368-ABAF-C8AA1CCE6600@apple.com> <ad99d8ce1002030956w7503957eg8bd6e88da66a884a@mail.gmail.com> <D8279D52-AE47-46F6-84DA-8E348116662A@apple.com>
To: Maciej Stachowiak <mjs@apple.com>
X-Mailer: Apple Mail (2.1077)
Cc: hybi@ietf.org
Subject: Re: [hybi] Web sockets and existing HTTP stacks
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 22:50:48 -0000

For reference, linking the message from Maciej with the problem statement. http://www.ietf.org/mail-archive/web/hybi/current/msg01198.html  

On 3 feb 2010, at 23.17, Maciej Stachowiak wrote:

>> 
>> You can still do [the nonce] as an HTTP header.
> 
> Indeed! And that was my original proposal. But I have been advised that the status line could afford stronger protection.

I can appreciate the logic in having the mandatory response before the request is able to manipulate the output. On the other hand, if the request has anyway successfully manipulated the first bytes of the output to state "HTTP/1.1 101 Web Socket Protocol Handshake", it stands to reason that a couple of more bytes at the end of that won't pose much of a difficulty for an attacker. (Alternatively, the remote host is a WebSocket aware endpoint, at which point you don't have a cross-protocol vulnerability anyway).

In any event, assuming the nonce is unpredictable, the only case in which an unaware server can be tricked into sending back a correct response is if the client is able to make the server compute it. Since this is tantamount to executing arbitrary code on the server, I'd say that's a case that can't be combated, as arbitrary code can always send back the proper response.

For the second case, I don't see at all why this would help on a websocket server that doesn't validate input data... or on a websocket server at all. Since the nonce is opaque to the server, why can't I just send something that pretends to be a nonce from my xhr? It should properly parse, as long as it's [a-zA-Z0-9]+ and the server will happily reply. But it stands to reason if you don't validate your input you're open to attacks. The best you can do is always force the WebSocket server to validate the handshake (which, if I'm not mistaken, you're arguing anyway?)

Vladimir

v2.23.0 | Report a Bug | By Email