IETF Logo Mail Archive

Re: [hybi] WS framing alternative

Greg Wilkins <gregw@webtide.com> Fri, 30 October 2009 23:55 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B4E23A6992 for <hybi@core3.amsl.com>; Fri, 30 Oct 2009 16:55:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.403
X-Spam-Level:
X-Spam-Status: No, score=-2.403 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgimKrOUkGx5 for <hybi@core3.amsl.com>; Fri, 30 Oct 2009 16:55:13 -0700 (PDT)
Received: from mail-yx0-f192.google.com (mail-yx0-f192.google.com [209.85.210.192]) by core3.amsl.com (Postfix) with ESMTP id 6EF6D3A68DE for <hybi@ietf.org>; Fri, 30 Oct 2009 16:55:13 -0700 (PDT)
Received: by yxe30 with SMTP id 30so3635838yxe.29 for <hybi@ietf.org>; Fri, 30 Oct 2009 16:55:28 -0700 (PDT)
Received: by 10.150.142.13 with SMTP id p13mr4222699ybd.25.1256946928378; Fri, 30 Oct 2009 16:55:28 -0700 (PDT)
Received: from ?10.10.1.9? (60-242-119-126.tpgi.com.au [60.242.119.126]) by mx.google.com with ESMTPS id 16sm255410gxk.11.2009.10.30.16.55.25 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 30 Oct 2009 16:55:26 -0700 (PDT)
Message-ID: <4AEB7CE7.8090903@webtide.com>
Date: Sat, 31 Oct 2009 10:55:19 +1100
From: Greg Wilkins <gregw@webtide.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: hybi@ietf.org
References: <8B0A9FCBB9832F43971E38010638454F0F1EA72C@SISPE7MB1.commscope.com> <Pine.LNX.4.62.0910270903080.9145@hixie.dreamhostps.com> <a9699fd20910270426u4aa508cepf557b362025ae5db@mail.gmail.com> <Pine.LNX.4.62.0910271824200.25616@hixie.dreamhostps.com> <4AE76137.8000603@webtide.com> <Pine.LNX.4.62.0910272118590.25608@hixie.dreamhostps.com> <20091029123121.GA24268@almeida.jinsky.com> <4AEA0E6C.1060607@webtide.com> <4AEA5713.8020008@it.aoyama.ac.jp> <Pine.LNX.4.62.0910300346010.25616@hixie.dreamhostps.com> <20091030124644.GC3579@shareable.org>
In-Reply-To: <20091030124644.GC3579@shareable.org>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [hybi] WS framing alternative
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2009 23:55:14 -0000

Jamie Lokier wrote:

> Result: Because of assumptions, 0xff bytes will be sent occasionally
> in the middle of a frame.  Everything afterwards will break, but it'll
> be rare enough that the author doesn't notice.  For the same reason
> you've explained authors get lengths wrong.
> 
> The sentinel approach does not solve this fragility problem, it merely
> shifts it around to a different place.

The sentinel approach also opens an easy attack vector.   If user data
is sent, then tricking a poor implementation into sending an OxFF
will allow packet insertion.

This is similar to CRLFCRLF insertion attacks that can happen
if user data is set unfiltered into a HTTP header and/or cookie.

length framing avoids this vulnerability.

Note also that my proposal for a meta-data bit would allow
headers to be sent in one length frame and data in another, so
the CRLFCRLF sentinel would not be needed and that vulnerability
would also be avoided.


regards

v2.23.0 | Report a Bug | By Email