IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Simone Bordet <simone.bordet@gmail.com> Wed, 29 September 2010 18:37 UTC

Return-Path: <simone.bordet@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E97923A6D84 for <hybi@core3.amsl.com>; Wed, 29 Sep 2010 11:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.471
X-Spam-Level:
X-Spam-Status: No, score=-2.471 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IX7pB3nZ8quk for <hybi@core3.amsl.com>; Wed, 29 Sep 2010 11:37:30 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id 6563C3A6D71 for <hybi@ietf.org>; Wed, 29 Sep 2010 11:37:28 -0700 (PDT)
Received: by qyk31 with SMTP id 31so1477427qyk.10 for <hybi@ietf.org>; Wed, 29 Sep 2010 11:38:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=pWzv/cc2RXN/9zzmI7NSX9EpEZ4sZvOvuMRDPZhEYYE=; b=xZ/oJIU4CXn5QQncWBS/7g/2ceNbEOx/ehGKjrRoROH24umWWnlc+8fjLnvU7l6oQa cas9r1hEbEiHL/4ENJu5SI7ljLi+SzDsOEJXAg3sAnH+iv2SMRO2Vns+NIr7Kh1MPsja 9ykUJb6AkMoSLKc2Uh3Dxw3OxBsIrodbnaM8k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=FnmTVVsrgzw/6S7u/V6dsmaF6kFo+7Ae72lO0i5bF54R9BPhoar3fGTlLFm3mwQsel jvvCDNzhsvmUxrvAsVLvAaBap6MYGZaSgVU9dIV+/Mv+qgKZo0PCbCHOcFInx833JzqM VYFyxi87UdsmJiKDvgff+ZiHX3Pqq9UsCa2Yc=
MIME-Version: 1.0
Received: by 10.229.211.83 with SMTP id gn19mr1544256qcb.19.1285785491789; Wed, 29 Sep 2010 11:38:11 -0700 (PDT)
Received: by 10.229.224.68 with HTTP; Wed, 29 Sep 2010 11:38:11 -0700 (PDT)
In-Reply-To: <20100929171550.GB8583@1wt.eu>
References: <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <20100929171550.GB8583@1wt.eu>
Date: Wed, 29 Sep 2010 20:38:11 +0200
Message-ID: <AANLkTikq02dtvyNW9DBohZ8ZRvQnmGnSUse0dNYY6WH8@mail.gmail.com>
From: Simone Bordet <simone.bordet@gmail.com>
To: Willy Tarreau <w@1wt.eu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2010 18:37:32 -0000

Hi,

On Wed, Sep 29, 2010 at 19:15, Willy Tarreau <w@1wt.eu> wrote:
> On Wed, Sep 29, 2010 at 09:47:37AM -0700, Maciej Stachowiak wrote:
>> The idea is that you make an HTTP request with a header that looks close enough to the WS handshake to fool the server, followed by what appear to be WS messages in the body.
>
> Except that you have the Upgrade header which requires a 101 in
> response. A normal HTTP server will either :
>  - ignore the Upgarde and return a classical code (200, 404, 403, ...)
>  - consider the Upgrade header and either return 101 because it matches
>    the protocol it supports (WebSocket) or return an error code because
>    it does not support the WS protocol.

I think Maciej's point was that the server could interpret a ws
message before knowing that the client is a real (or good) ws client.
E.g.

GET / HTTP/1.1
...
Upgrade: WebSocket
Content-Length: 0
<bytes that look like a ws frame>

The server replies with a 101, then starts reading the bytes
interpreting them as websocket.

However, I don't see how this could be interpreted by a ws server in
the ping-pong handshake that Greg/Scott were proposing: there is no
way for the client to guess the exact content of the pong message
before receiving the ping.
And a HTTP server would just choke on those bytes, because I don't
think that a ws message (whatever framing we settle on) can possibly
generate a valid http request line.
The server would just read the bytes, understand the client is not a
ws compliant client, and close the connection.
And if it does not, then it's a buggy server and there is nothing we
can do about (both as a websocket and http server).

I am sure I miss something and that an attack is possible, but I cannot see it.
Would someone more expert on the area provide an example of how the
ping-pong handshake would offer an attack opening ?

Simon
-- 
http://bordet.blogspot.com
---
Finally, no matter how good the architecture and design are,
to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless.   Victoria Livschitz

v2.23.0 | Report a Bug | By Email