Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
Greg Wilkins <gregw@webtide.com> Sun, 28 November 2010 08:43 UTC
Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D8F03A697E for <hybi@core3.amsl.com>; Sun, 28 Nov 2010 00:43:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.756
X-Spam-Level:
X-Spam-Status: No, score=-1.756 tagged_above=-999 required=5 tests=[AWL=0.220, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5XtTeNK8pFC for <hybi@core3.amsl.com>; Sun, 28 Nov 2010 00:43:46 -0800 (PST)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 3DBA13A6B4B for <hybi@ietf.org>; Sun, 28 Nov 2010 00:43:46 -0800 (PST)
Received: by qyk11 with SMTP id 11so3638668qyk.10 for <hybi@ietf.org>; Sun, 28 Nov 2010 00:44:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.224.67.17 with SMTP id p17mr3819608qai.382.1290933892911; Sun, 28 Nov 2010 00:44:52 -0800 (PST)
Sender: gregw@intalio.com
Received: by 10.220.167.203 with HTTP; Sun, 28 Nov 2010 00:44:52 -0800 (PST)
In-Reply-To: <AANLkTi=x5sVSiwkLNq1dgr2Jdi-zQeX0QAQSbFMi5ojH@mail.gmail.com>
References: <AANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com> <AANLkTimSu1fOGCg0gqX2EFh4v-MkpZuY_-onm3+TO_Z0@mail.gmail.com> <AANLkTimYpdp-75BQSmhAUfyrQv19LvzF1ouznst+ANUG@mail.gmail.com> <AANLkTikbycTS51Ein9ybbZ52zcrViFCNBjCmpRGD3yCk@mail.gmail.com> <AANLkTi=x5sVSiwkLNq1dgr2Jdi-zQeX0QAQSbFMi5ojH@mail.gmail.com>
Date: Sun, 28 Nov 2010 19:44:52 +1100
X-Google-Sender-Auth: jYmIUzjzN7ODpK3Kr0FSggA_UwY
Message-ID: <AANLkTiku+wZTudrOcviJP540FVr0wg5MFodFNSnB6FRt@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: John Tamplin <jat@google.com>
Content-Type: multipart/alternative; boundary="0015175cd6881d96ba049618f8ec"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Nov 2010 08:43:47 -0000
On 28 November 2010 19:04, John Tamplin <jat@google.com> wrote: > > Note that adding Hello frames or arbitrary other verification that a > real WebSocket client is connecting doesn't help -- in this attack > scenario, the attacker is running their JS code in the browser and > their code on the server, and it sets up a real WebSocket connection. > John, I think this is an assumption that needs to be tested. The vulnerability results because the intermediary is interpreting every HTTP request on the stream. If Hello frames are sent, or the fake HTTP requests are encapsulated in WS frames, then that may be sufficient to disrupt the parsing that the intermediaries are doing. Note that I agree with Eric when he says that this defence is reliant on the intermediary not being able to re-establish HTTP framing after non HTTP bytes are sent and that this might be rather a rather thin defence. But there still may be things that can be done to create better defences. cheers > Unless the payload is masked, you have to rely on the handshake and > framing ensuring that a transparent proxy doesn't accept WebSocket > payload content as if it were an HTTP request. Also note that since > the attacker controls the server, they can add extra headers to the > Upgrade response which will be ignored by the WebSocket client but may > confuse the transparent proxy. > > -- > John A. Tamplin > Software Engineer (GWT), Google >
- [hybi] Experiment comparing Upgrade and CONNECT h… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Ian Fette (イアンフェッティ)
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… Julian Reschke
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… Brian
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Joe Mason
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Ian Fette (イアンフェッティ)
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Bjoern Hoehrmann
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth