IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Willy Tarreau <w@1wt.eu> Sat, 09 October 2010 05:56 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1964F3A6800 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 22:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[AWL=-0.751, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1aOHsTwk87V for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 22:56:42 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 9612E3A680B for <hybi@ietf.org>; Fri, 8 Oct 2010 22:56:21 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o995vNsn007215; Sat, 9 Oct 2010 07:57:23 +0200
Date: Sat, 09 Oct 2010 07:57:23 +0200
From: Willy Tarreau <w@1wt.eu>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20101009055723.GL4712@1wt.eu>
References: <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com> <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de> <4CAFB9C4.6030905@caucho.com> <AANLkTinv5Ym5jwUEqS76z3UkVa7GpmOBT_WXhBbFK0-m@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTinv5Ym5jwUEqS76z3UkVa7GpmOBT_WXhBbFK0-m@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: hybi <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 05:56:44 -0000

On Fri, Oct 08, 2010 at 05:43:06PM -0700, Eric Rescorla wrote:
> On Fri, Oct 8, 2010 at 5:39 PM, Scott Ferguson <ferg@caucho.com> wrote:
> 
> > Bjoern Hoehrmann wrote:
> >
> >> * Scott Ferguson wrote:
> >>
> >>
> >>> So the attacker has a PHP script running on the same physical machine as
> >>> the target site, on the same VM guest as the target, and using the same
> >>> shared web server as the target, and has decided that a cross protocol
> >>> attack is the appropriate vector against a target on the same machine as his
> >>> PHP script.
> >>>
> >>>
> >>
> >> In the scenario the browser thinks it is talking Websocket while the
> >> server thinks the browser is talking HTTP, so basically
> >>
> >>  +----------------+                    +------------------+
> >>  | User's browser | -- "Websocket" +-- | attacker.example |
> >>  +----------------+                |   +------------------+
> >>                                  HTTP
> >>                                    |   +------------------+
> >>                                    +-- | target.example   |
> >>                                        +------------------+
> >>
> >> How attacker.example and target.example are organized is up to the
> >> web server, it could just be some kind of firewall where the two sites
> >> are actually hosted on physically separate machines behind it and they
> >> may be unable to talk to each other. I do think this is something that
> >> the Websocket protocol needs to address.
> >>
> >>
> >
> > To consider the original scenario, do you think the case where the
> > attacker's PHP script is on the same physical and virtual machine as the
> > target is something WebSockets needs to address? Or that the shared machine
> > configuration is already so compromised that complicating WebSockets to
> > address that scenario adds no real value.
> >
> >
> This case definitely needs to be addressed. It's a completely standard
> hosting
> configuration.

it is correctly addressed by respecting the HTTP protocol which consists in
sending Connection: close in the request so that there is no risk that either
the web server or any intermediary consider additional data as a second request.

Regards,
Willy

v2.23.0 | Report a Bug | By Email