Re: [hybi] Insight you need to know: Browsers are at fault when servers crash

["Shelby Moore" <shelby@coolpage.com>]

http://www6.ietf.org/mail-archive/web/hybi/current/msg02400.html

Mike Belshe wrote:
> The browser opens network connections on behalf of the user.  A web page
> can embed links and script which cause the browser to open links to
> foreign sites on any port.  If those servers are poorly implemented, and
> an attacker sends the right web request their way, they might crash.
> Your natural instinct, of course, is to tell them to fix the server,
> which you should.  But, what if some bad guy convinces a bunch of users
> at Innotech.com  to click a link which causes the internal print server
> to die?  Pretty soon, the browser which allows this to happen gets
> banned from the organization.  This is why browsers today implement port
> blocking to prevent access to standard ports.  But it's a pretty weak
> security.

My understanding is not that the servers are poorly implemented but that
the attacked legacy protocols are poorly designed. For example, a protocol
that allows access without login password (e.g. SMTP), must be prepared to
get spammed, it is not an attack nor a bug, it is a feature of the design
of the protocol.

Although I have stated that the browsers shouldn't send HTTP to non-HTTP
port (because not doing so doesn't cost them anything), I agree that is
not security, it is just an optimization.  However, requiring the browser
to give up useful features in order to offer non-security, is simply
insane. It will dead end eventually with an internet that is whitelisted
and freedom is completely gone. But we have to be insane to live in this
world any way:

http://www.marketoracle.co.uk/Article21650.html

Let me explain that non-solution/inertia is socialism. If I build my house
with highly flammable materials, then my house catches on fire from your
rather normal use of a charcoal barbacue, then I sue you for burning down
my house, that will not cause people to build better houses, instead it
will cause people to use gas barbacues and buy insurance.  This is why
insurance is socialism. It motivates people to become stupid, reduce
choice, and avoid optimization.

Rather I say slam the bad protocols so they will decide to fix their
problem. But there is a practical problem-- inertia.  Ah socialism always
wins because of inertia.  But what form does socialism take when it wins?
Ahem, complete failure. Then we can start again and do it a better way,
but eventually we make mistakes and refuse to battle inertia and we end up
in complete failure again. This is the rather depressing pattern of
nature.

Every once in a blue moon, a "genuis" (usually someone stupid/oblvious
enough to try) will find a paradigm shift that (catches a popular trend)
finds a way to tunnel through some aspect of the pre-existing inertia
(socialism) and it becomes very popular.  These are beautiful (until they
become the inertia problem) and they usually make someone very wealthy
and/or famous.

If the proposed encryption (to help not reveal bad text protocols) is an
optimization of WS over HTTP, then no harm.  But if we add costs because
we refuse to attack bad inertia, well we are on that slippery slope
towards killing the internet.  But don't fret, it is expected and natural.

But can we be more clever?

Well one optimization is why are allowing these WebSockets to connect to
ports that are assigned to other legacy protocols by the IANA?  What
benefit does that give WebSockets?  Seems an optimization would be to not
do that.  So then we don't need encryption, unless some bad protocol is
running on a non-IANA assigned port.  And then why don't we make
encryption optional, so that browsers only need to make a configurable
option, so that enterprises that use non-IANA assigned ports, can
configure their browsers on the LAN accordingly.  If they expose their
ports to WAN without user authorization, they are asking for attacks in
the WAN wild not just from browsers.

I believe there are more clever solutions to break inertia, but we have to
be willing to think out-of-the-box and take interest in new thinking:

http://www6.ietf.org/mail-archive/web/hybi/current/msg03342.html
http://www6.ietf.org/mail-archive/web/hybi/current/msg03345.html

Back to the subject line of this thread.  I don't think browsers break
servers, unless they have bugs:

http://www6.ietf.org/mail-archive/web/hybi/current/msg03340.html
http://www6.ietf.org/mail-archive/web/hybi/current/msg03337.html

The server must anticipate the entire state-machine of its inputs.  The
only way the browser can give the server bugs is when the server is not
prepared for every possibility in its state-machine. The big caveat is
that due to being a Turing machine means we will never be prepared for
every possibility.

So where does that leave us?

Nature gives us the answer. Go back to the 1856 law of thermo that says
the universe is always trending to maximum disorder. So nature always
wants more independent actors.  Everything we do to inhibit that, will
ultimately fail.

So what makes server's more brittle for security?

CENTRALIZATION.

The most general/fundamental reason that Sammy was able to cause so much
damage at MySpace, is because there was one vulnerability that applied to
millions of people (and in a geometric speed sort of way too).

So if we want to reduce damage, we need to accept that some damage is
normal and that proliferated diversity reduces damage overall.

If you use that powerful insight to guide you, you will be as success as
King Solomon, because the Bible is where I got the motivation.

Okay mentioning the Bible should probably get me banned, so just in case I
will say "happy trails".

Cheers all. (my final post for a while)