IETF Logo Mail Archive

Re: [hybi] Different server semantics of CONNECT

Greg Wilkins <gregw@intalio.com> Sat, 04 December 2010 07:51 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6072E3A6980 for <hybi@core3.amsl.com>; Fri, 3 Dec 2010 23:51:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[AWL=0.326, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w+cwMzb89WF7 for <hybi@core3.amsl.com>; Fri, 3 Dec 2010 23:51:04 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 25AB63A6867 for <hybi@ietf.org>; Fri, 3 Dec 2010 23:51:03 -0800 (PST)
Received: by qwg5 with SMTP id 5so9463128qwg.31 for <hybi@ietf.org>; Fri, 03 Dec 2010 23:52:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.121.220 with SMTP id i28mr692256vcr.46.1291449142621; Fri, 03 Dec 2010 23:52:22 -0800 (PST)
Received: by 10.220.167.203 with HTTP; Fri, 3 Dec 2010 23:52:21 -0800 (PST)
In-Reply-To: <AANLkTi=YK5hPEou+U76Bf39zqo3y+Y4omG0W0Q7EZvA0@mail.gmail.com>
References: <AANLkTi=5Z+PhCSmgNAd5_JcLYxR1rBQX=sbTT3qEwW-W@mail.gmail.com> <49B71D64-9B5D-40DB-B823-1552C56D19E5@gbiv.com> <AANLkTi=tF7kA3iP+FNfWOqiFwmB1q8jGgYABuE9KEuhc@mail.gmail.com> <743CF3C8-570C-42A0-9DF8-FD206F508C7C@gbiv.com> <070E177B-545C-4F43-A48A-7D8A0E9C2FF6@apple.com> <58C1667A-1F83-447F-ACD7-88109B0E48E4@gbiv.com> <8B0A9FCBB9832F43971E38010638454F03F347DF6C@SISPE7MB1.commscope.com> <AANLkTimp0Hvro3rCfihvV=9gGEGTn2dBXdE=4APSnM39@mail.gmail.com> <4CF881DD.5040409@it.aoyama.ac.jp> <AANLkTimWkXXAtpFmB85tNAw63=ej-mQ2Fhc4=7Hi_1_P@mail.gmail.com> <AANLkTi=zfsAuxuB=zhHqC99aFWv4C5qhszTvN7g7Pitr@mail.gmail.com> <AANLkTi=ufpHqotwO6+_Bwsa7t5H5cB-LLeP+d=A5R26E@mail.gmail.com> <AANLkTinHtN3uSGbZ6Hcki4wbMcN3vRp2_Ba=QENE2omY@mail.gmail.com> <AANLkTi=u-EL5CDVtz1fcMN90uVsdS5QCTku4ukD0+qNw@mail.gmail.com> <AANLkTi=QW22Sg1gboXBXB0nCzLrGktrYwq6AJX4oQJYr@mail.gmail.com> <AANLkTi=HyDUkFKnEzxPdiW0v1TNTuh3Nz70sSMmJaB8Y@mail.gmail.com> <AANLkTi=YK5hPEou+U76Bf39zqo3y+Y4omG0W0Q7EZvA0@mail.gmail.com>
Date: Sat, 04 Dec 2010 08:52:21 +0100
Message-ID: <AANLkTimhMKseM=o6XFxDUqoA0cVVcR2ga0vcpeJOw6wO@mail.gmail.com>
From: Greg Wilkins <gregw@intalio.com>
To: Zhong Yu <zhong.j.yu@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] Different server semantics of CONNECT
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2010 07:51:05 -0000

On 3 December 2010 20:45, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> On Fri, Dec 3, 2010 at 5:39 AM, Greg Wilkins <gregw@intalio.com> wrote:
>> Eric,
>>
>> to put this another way, the paper produced the following results:
>>
>>  POST  handshake  + non-framed-date   15 vulnerable
>>  GET-Upgrade + Non-framed-data             8 vulnerable
>
> I know Adam said that data isn't framed in the Upgrade experiment. I
> don't buy it. If this is what they sent in the Upgrade experiment:
>
> GET /resource HTTP/1.1
> Upgrade: WebSocket
> ...
> <CRLF>
> GET /script.php/<random> HTTP/1.1
> Host: target.com
>
> i.e. there is no non-http bytes between handshake and spoof requests,
> then this is very similar to the POST experiment. The only major
> difference is the Upgrade header.
>
> Yet in POST experiment, 1376 firewall circumvention attacks succeeded,
> and in Upgrade experiment, only 1 succeeded. The two experiments are
> done at the same time, over the same intermediaries, same parsers. How
> can this be?

Zong,

well it's hard to know for sure unless Adam & Eric disclose.

I did ask if they framed the second request and Adam said no.
It's true that it is not clear if the 8 random bytes are sent between
the requests.

It is certainly true that they did not send a hello frame with known
unacceptable bytes.

Is it true that the experiment was conducted over the same intermediaries etc?
If the experiments were conducted by ad placements, then it would be
quasi random where the adverts were placed.  Actually it may be worse
than that, as the advert system may track data about the advertisement
and alter it's algorithm for where to display the advert over time,
target pages and client source.   There could be large systematic
variables in the experiment.

I really don't want to rain on Adam & Erics parade, as I think their
work is really interesting and well worth doing.  It is just that
without full disclosure of methods and data, I think it is impossible
to understand their findings or fully support their conclusions.

cheers

v2.23.0 | Report a Bug | By Email