IETF Logo Mail Archive

Re: [hybi] Extensibility mechanisms?

Maciej Stachowiak <mjs@apple.com> Thu, 22 July 2010 07:18 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5BC683A6834 for <hybi@core3.amsl.com>; Thu, 22 Jul 2010 00:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.299
X-Spam-Level:
X-Spam-Status: No, score=-106.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0kmInRxq729 for <hybi@core3.amsl.com>; Thu, 22 Jul 2010 00:18:03 -0700 (PDT)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 313463A67D7 for <hybi@ietf.org>; Thu, 22 Jul 2010 00:18:03 -0700 (PDT)
Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out3.apple.com (Postfix) with ESMTP id 7219E9EE02BB for <hybi@ietf.org>; Thu, 22 Jul 2010 00:18:20 -0700 (PDT)
X-AuditID: 11807136-b7c9dae000000fcd-2a-4c47f0bc82ea
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay15.apple.com (Apple SCV relay) with SMTP id 3A.73.04045.CB0F74C4; Thu, 22 Jul 2010 00:18:20 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.96.25] by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L5Y00GLO6YJDLA0@gertie.apple.com> for hybi@ietf.org; Thu, 22 Jul 2010 00:18:20 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <20100722055452.GL7174@1wt.eu>
Date: Thu, 22 Jul 2010 00:18:19 -0700
Message-id: <F412C956-038F-400D-A431-C42B4C7B829C@apple.com>
References: <AANLkTikkfdlUxQ0MGNvVQKa5gfovkGHWdCgyN9juKSQJ@mail.gmail.com> <4C462F9E.9030207@caucho.com> <Pine.LNX.4.64.1007212153110.7242@ps20323.dreamhostps.com> <AANLkTiku76oSucTNDFdwgsFBNFa_cCpC-YktTnMfX47-@mail.gmail.com> <4C479130.4020500@caucho.com> <AANLkTikLDjBP-Xs5t6TxmJuq4nG8jwThQ=n34B4cEmup@mail.gmail.com> <4C479CE4.6070805@caucho.com> <AANLkTims1er0Rbv0ysP4gRs1Kd0He8hapHeJ3nON=JQa@mail.gmail.com> <4C47C5B0.3030006@caucho.com> <AANLkTi=ND-FOH8OoD=TCbiyeSZ-h0LhxQBXN5w-2hfvj@mail.gmail.com> <20100722055452.GL7174@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Extensibility mechanisms?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 07:18:04 -0000

On Jul 21, 2010, at 10:54 PM, Willy Tarreau wrote:

> Hi Adam,
> 
> On Wed, Jul 21, 2010 at 09:40:00PM -0700, Adam Barth wrote:
>> The more I read on this list, the more I think that folks here don't
>> understand the requirements on the protocol, especially the security
>> requirements.  That's understandable if you haven't worked extensively
>> with the browser security model.  Fortunately, Ian is an expert on
>> these topics and has more time to reply to this list than I do.
> 
> Unfortunately, if neither of you two can take some time to give concrete
> examples of what you're trying to protect against, you will constantly
> see proposals that don't fit your requirements.
> 
> My understanding of cross-protocol attacks (please correct me if I'm
> wrong) is the fact that a browser can be tricked into sending specially
> crafted data to an IP:port which it believes is one protocol while it's
> another one, the typical example being a form designed to send a POST
> to an SMTP server, which will ignore all the HTTP part it does not
> understand and will happily apply the body's data as SMTP commands. It's
> easy to put web sites on the net that build such forms so that browsers
> which get there are accidentely used to perform that attack.

There's at least three kinds of concerns about cross-protocol attacks and the WebSocket protocol, in the case where the client is the browser:

1) Hostile JS code running in the browser may use the browser's WebSocket client code to try to attack existing HTTP resources, if it can make a request that looks sufficiently like HTTP.
2) Hostile JS code running in the browser may use the browser's WebSocket client code to try to attack existing non-HTTP servers, if it can make a request that looks sufficiently like the service in question.
3) Hostile JS code running in the browser may use the browser's HTTP client code (e.g. via XMLHttpRequest) to try to attack newly created WebSocket servers, if it can make a request that looks sufficiently like WebSocket.

There is also another orthogonal dimension to the threat space:

A) Attacks on confidentiality, where the attacker is trying to get access to information from the resource being attacked which he or she should not be able to obtain.
B) Attacks on integrity, where the attacker is attempting to inject commands into a resource, without necessarily caring about getting a response back.


Cross-protocol attacks were much discussed earlier in the year, and I gave some sketches of attack scenarios here:
http://www.ietf.org/mail-archive/web/hybi/current/msg01198.html


> 
> If this is indeed the issue you're talking about, then I don't see why
> the HTTP-based handshake could be a problem there. It's not more than
> any other common HTTP request, it's even better in that no data should
> flow until the server has correctly replied indicating proper support
> for the protocol.

What's "the HTTP-based handshake"? We have had several proposals for handshakes that start out looking like HTTP. They are not all equally effective in protecting against cross-protocol attacks, though some of them do have some protection..

Although I am not an expert on cross-protocol attacks, one thing I have learned is that the issues can be *extremely* subtle. This leads me to conclude that it's better to err on the side of caution, and design the protocol to be even more robust against such threats than we think is strictly necessary. 

I believe the TLS-based handshake (as proposed by Adam) is more robust than solutions involving nonces and challenge/response built into an HTTP-like handshake. The reason for this is that it's hard for the attacker to control the bytes sent, other than to cause the initiation of a TLS handshake, which is something that all network services are already exposed to by browsers. The attacker cannot get to the next-level protocol running over TLS unless the server explicitly opts in. With HTTP-based schemes, it takes much more care to avoid sending information as the "wrong" protocol.

However, HTTP-based challenge-response solutions are definitely better than not trying to address the issue at all.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email