IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Sat, 09 October 2010 01:20 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D76393A6403 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 18:20:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.986
X-Spam-Level:
X-Spam-Status: No, score=-1.986 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9fixpChEpPw for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 18:20:50 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by core3.amsl.com (Postfix) with ESMTP id 114883A63C9 for <hybi@ietf.org>; Fri, 8 Oct 2010 18:20:49 -0700 (PDT)
Received: by gxk20 with SMTP id 20so637120gxk.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 18:21:55 -0700 (PDT)
Received: by 10.150.247.30 with SMTP id u30mr3801092ybh.315.1286587315638; Fri, 08 Oct 2010 18:21:55 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id t9sm3564077ybe.21.2010.10.08.18.21.54 (version=SSLv3 cipher=RC4-MD5); Fri, 08 Oct 2010 18:21:54 -0700 (PDT)
Received: by iwn10 with SMTP id 10so1803229iwn.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 18:21:53 -0700 (PDT)
Received: by 10.42.177.130 with SMTP id bi2mr563000icb.91.1286587313539; Fri, 08 Oct 2010 18:21:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Fri, 8 Oct 2010 18:21:23 -0700 (PDT)
In-Reply-To: <4CAFBD75.4020004@caucho.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 08 Oct 2010 18:21:23 -0700
Message-ID: <AANLkTi=eykp+cpYjHzCcqiY++9OtPJwRL37h4pyRdY9L@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 01:20:51 -0000

On Fri, Oct 8, 2010 at 5:55 PM, Scott Ferguson <ferg@caucho.com> wrote:
> Greg Wilkins wrote:
>> Even if the handshake could complete - which it couldn't.  Then the
>> server does not have a more or less raw socket.  It has a WS socket
>> and only WS frames can be sent.  I am dubious that a valid websocket
>> frame could be a meaningful HTTP request.
>
> And even if this were all possible, the browser could now ...
>
> ... wait for it ...
>
> ... make HTTP requests to a HTTP server using websockets instead of the
> browser's HTTP client.

Which is, of course, problematic because now the attacker is free of
all the security restrictions the browser places on his use of HTTP.
For example, the attacker can now forge the Host header.

Adam

v2.23.0 | Report a Bug | By Email