IETF Logo Mail Archive

[hybi] Upgrade Mechanism and HasMat (was Re: Extensibility mechanisms?)

Salvatore Loreto <salvatore.loreto@ericsson.com> Thu, 22 July 2010 08:20 UTC

Return-Path: <salvatore.loreto@ericsson.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 280F63A677C for <hybi@core3.amsl.com>; Thu, 22 Jul 2010 01:20:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.226
X-Spam-Level:
X-Spam-Status: No, score=-3.226 tagged_above=-999 required=5 tests=[AWL=-3.087, BAYES_20=-0.74, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XS8dJ7fFjIS7 for <hybi@core3.amsl.com>; Thu, 22 Jul 2010 01:20:51 -0700 (PDT)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by core3.amsl.com (Postfix) with ESMTP id 852853A69CF for <hybi@ietf.org>; Thu, 22 Jul 2010 01:20:50 -0700 (PDT)
X-AuditID: c1b4fb39-b7b91ae000001aef-c7-4c47ff7349e3
Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id A5.55.06895.37FF74C4; Thu, 22 Jul 2010 10:21:07 +0200 (CEST)
Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Thu, 22 Jul 2010 10:21:06 +0200
Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Thu, 22 Jul 2010 10:21:06 +0200
Received: from nomadiclab.lmf.ericsson.se (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 75DE324DC for <hybi@ietf.org>; Thu, 22 Jul 2010 11:21:06 +0300 (EEST)
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 6A4004FBBD for <hybi@ietf.org>; Thu, 22 Jul 2010 11:21:06 +0300 (EEST)
Received: from n200.nomadiclab.com (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 129D54F585 for <hybi@ietf.org>; Thu, 22 Jul 2010 11:21:06 +0300 (EEST)
Message-ID: <4C47FF71.3050000@ericsson.com>
Date: Thu, 22 Jul 2010 11:21:05 +0300
From: Salvatore Loreto <salvatore.loreto@ericsson.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6
MIME-Version: 1.0
To: hybi@ietf.org
References: <Pine.LNX.4.64.1007212153110.7242@ps20323.dreamhostps.com> <AANLkTiku76oSucTNDFdwgsFBNFa_cCpC-YktTnMfX47-@mail.gmail.com> <4C479130.4020500@caucho.com> <AANLkTikLDjBP-Xs5t6TxmJuq4nG8jwThQ=n34B4cEmup@mail.gmail.com> <4C479CE4.6070805@caucho.com> <AANLkTims1er0Rbv0ysP4gRs1Kd0He8hapHeJ3nON=JQa@mail.gmail.com> <4C47C5B0.3030006@caucho.com> <AANLkTi=ND-FOH8OoD=TCbiyeSZ-h0LhxQBXN5w-2hfvj@mail.gmail.com> <20100722055452.GL7174@1wt.eu> <AANLkTik_rpxo=1OfzHkwpC5soQG_NxvGuZNXx7gdhVTh@mail.gmail.com> <20100722064945.GM7174@1wt.eu> <AANLkTim7AsQGSwLE51uktj=B1vB6roZChAtDoCrE6fFG@mail.gmail.com>
In-Reply-To: <AANLkTim7AsQGSwLE51uktj=B1vB6roZChAtDoCrE6fFG@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070409070203030400010005"
X-Virus-Scanned: ClamAV using ClamSMTP
X-OriginalArrivalTime: 22 Jul 2010 08:21:06.0621 (UTC) FILETIME=[D4F9C6D0:01CB2976]
X-Brightmail-Tracker: AAAAAA==
Subject: [hybi] Upgrade Mechanism and HasMat (was Re: Extensibility mechanisms?)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 08:20:53 -0000

Hi Adam,

first let me thank you, Willy, Maciej  for the discussion about 
cross-protocol vulnerability,
having the explanation and picture of the problem always help the 
discussion and boost the
possibility to find a good solution.

from my personal point of view,
I see more value to work on a general solution to secure the HTTP 
Upgrade mechanism
against cross-protocol vulnerability, instead of trying to draft 
something ad-hoc for WebSocket

actually that sounds at least to me as something that perfectly fit in 
the HasMat BoF.

    "The goal of this working group is to standardize a small number of
    selected specifications that have proven to improve security of Internet
    Web applications. The requirements guiding the work will be taken from
    the Web application and Web security communities.

It would be extremely good if you (or someone else) can arrange a short 
presentation about this issue during the HasMat BoF!
If nobody volunteer I can prepare a couple of slides (taking advantage 
of what you have discussed in this thread)
and ask 5 minutes to the HasMat chairs to present them.


I also think the wg should also investigate the TLS+NPN approach, that 
is quite promising but we have also consider
that it also a work in progress.

cheers
Sal




On 7/22/10 10:08 AM, Adam Barth wrote:
> On Wed, Jul 21, 2010 at 11:49 PM, Willy Tarreau<w@1wt.eu>  wrote:
>    
>> On Wed, Jul 21, 2010 at 11:11:58PM -0700, Adam Barth wrote:
>>      
>>> On Wed, Jul 21, 2010 at 10:54 PM, Willy Tarreau<w@1wt.eu>  wrote:
>>>        
>>>> On Wed, Jul 21, 2010 at 09:40:00PM -0700, Adam Barth wrote:
>>>> If this is indeed the issue you're talking about, then I don't see why
>>>> the HTTP-based handshake could be a problem there.
>>>>          
>>> Well, it certainly *could* be a problem if improperly designed.
>>>        
>> Indeed, and as such the -76 one is, because the first bytes can be used
>> to send a second HTTP request to a server through a reverse-proxy while
>> at this point this should only be WebSocket and not HTTP.
>>      
> Interactions with both proxies and reverse proxies are important to
> consider for HTTP-based handshakes because we're likely to get deeper
> into their state machines.  I'm not sure I understand precisely the
> issue you're referring to, but that's why they pay Ian the big bucks.
>
>    
>>> As a
>>> community, we don't have a good science of cross-protocol
>>> vulnerabilities.  We certainly can't understand all possible
>>> interactions between all protocols.  We have to reason about these
>>> attacks indirectly, for example by reduction.  It's possible to reason
>>> about the security of an HTTP-based handshake by reduction to already
>>> existing abilities the attacker has, provided the protocol is designed
>>> with that sort of reasoning in mind.  Blithely hoping "HTTP likeness"
>>> will avoid all issues isn't sufficient.
>>>        
>> That's why I'm trying to reduce the amount of blind emissions during the
>> handshake.
>>      
> Attacker-controlled blind emission is definitely a bad idea.  Fixed
> once-and-for-all strings are probably not that bad.  Bytes chosen
> uniformly at random for each request are best.
>
>    
>>>> It's not more than any other common HTTP request,
>>>>          
>>> Keep in mind that attacker can only generate a very stylized subset of
>>> HTTP requests in browsers today.  Stepping outside that subset
>>> requires careful consideration.
>>>        
>> My concern is also that we're becoming too much different from this
>> stylized subset, by introducing special features that nobody cares
>> to qualify possible negative impacts nor means of exploitation. I'd
>> rather stick to something well mastered which shares the same class
>> of possible vulnerabilities and attacks as the other ones targetting
>> the same agents, so that when we spot one and fix it, the issue is
>> fixed for all uses.
>>      
> I didn't understand the concrete implications of this paragraph.
>
>    
>>>> Basically we should get this :
>>>>
>>>>   - the client sends an HTTP handshake (headers only)
>>>>   - the server responds with its HTTP handshake
>>>>   - the client checks the response and only then forwards
>>>>     data.
>>>>
>>>> This standard scheme protects against cross-protocol attacks (as I
>>>> understand them) as the client does not send anything unless the
>>>> server proves its ability to understand the client protocol. Also,
>>>> the request and response are different HTTP messages, so a simple
>>>> echo server can't return the valid handshake by accident.
>>>>          
>>> We're worried about more complex servers than just an echo server.
>>> That's why the proof of understanding is more complex.  Certainly an
>>> identical client ->  server and server ->  client message would be a
>>> poor design.  However, just because they're not identical doesn't mean
>>> we're out of the woods.
>>>        
>> I agree, but at least we can enumerate the strict requirements for
>> the client to accept to send data to the server, which reduce the
>> exposure. Right now with a properly designed HTTP upgrade handshake,
>> you require a very precise set of criteria in the response that only
>> a server understanding the protocol could send because a non-WS
>> server would not have invented them. And one advantage of HTTP upgrade
>> is that the response MUST start with "HTTP/1.1 101". Anything else
>> won't match, which considerably limits the ability to inject the
>> response into the server's mouth. For instance, my SMTP server sends
>> me a "220 mail.home.local" first, which does not match HTTP/1.1. Some
>> other protocols will for instance send "Error: GET /xxx unknown command".
>> In fact, the parts we expect from the response cannot be guessed from
>> the command by non-WS aware servers. This is what makes it quite robust
>> already.
>>      
> You're describing a defense which we've been calling rigidity.  By
> making the handshake rigid, it's harder to squeeze though some other
> protocol's state machine.  However, you can imagine protocols that are
> vulnerable to a perfectly rigid handshake.  As an example, imagine a
> protocol like gopher where the attacker might be able to control all
> the bytes returned by the server (e.g., because the server accepts
> uploads).
>
> There's value to having other defenses against cross-protocol attacks
> in addition to rigidity.  Just as Greg's nonce isn't magic security
> pixie dust, neither is rigidity.
>
>    
>>>> So with this, I'm sorry I don't see what class of cross-protocol
>>>> attacks remain and which ones we should actively protect against,
>>>> so if you have good examples, it would be nice if you could take
>>>> some time to share them.
>>>>          
>>> Designing a secure protocol doesn't mean enumerating all attacks and
>>> making sure we avoid them all.  We're not smart enough to envision all
>>> attacks.
>>>        
>> Agreed. Otherwise it's a lost game. But they can serve as examples to
>> try to defeat a design however.
>>
>>      
>>> Instead, we need to convince ourselves that no attacks are
>>> possible, which is much the opposite problem.  I don't have a pile of
>>> attacks in my back pocket.  Instead, I can tell you that the protocol
>>> presented earlier in this thread is unlikely to be free of
>>> cross-protocol vulnerabilities because it lacks a number of defenses
>>> and mitigations, some of which you've listed in your message.
>>>        
>> Yes, but as Scott said it, it was a proposal to work on something with
>> a constructive approach. Not everyone is perverted enough to think how
>> a protocol can be abused, and that's why we need a variety of people to
>> work on the same protocol.
>>      
> I'm take some offense at being called perverted.
>
> Adam
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>
>    


-- 
Salvatore Loreto
www.sloreto.com

v2.23.0 | Report a Bug | By Email