IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Greg Wilkins <gregw@webtide.com> Mon, 27 September 2010 05:36 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7653C3A6C6B for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 22:36:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.556
X-Spam-Level:
X-Spam-Status: No, score=-0.556 tagged_above=-999 required=5 tests=[AWL=-0.993, BAYES_40=-0.185, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKK7VzCUCoZR for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 22:36:53 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 26E003A6C75 for <hybi@ietf.org>; Sun, 26 Sep 2010 22:36:20 -0700 (PDT)
Received: by iwn3 with SMTP id 3so5212641iwn.31 for <hybi@ietf.org>; Sun, 26 Sep 2010 22:35:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.33.205 with SMTP id i13mr8258086ibd.59.1285565756774; Sun, 26 Sep 2010 22:35:56 -0700 (PDT)
Received: by 10.231.178.88 with HTTP; Sun, 26 Sep 2010 22:35:56 -0700 (PDT)
In-Reply-To: <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com>
Date: Mon, 27 Sep 2010 15:35:56 +1000
Message-ID: <AANLkTimk3-vmLuM6zE_v9ovf6-xbYNhrstVVSfNKh9_T@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: hybi <hybi@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 05:36:56 -0000

Maciej, Adam,


On 27 September 2010 14:35, Maciej Stachowiak <mjs@apple.com> wrote:
> If you don't understand the risks, then I am not sure you are in a good position to propose solutions or evaluate their effectiveness.

Please stop using insults of my suitability to partake in this
discussion as substitutes for reasoned discussion.


> Many in this WG seem to discount the importance of security risks that they do not personally understand.

Please don't suggest that I do not take security issues seriously or
that by proposing amendments to the handshake that I am somehow trying
to weaken the protection against cross protocol attacks.

> One thing I have learned is that it is very risky to have a defense that just barely works.

Something that many have not learnt is that having something that
looks secure, but has not been subject to rigorous due diligence, is
often highly insecure.


> The reason I am skeptical of your proposed ping-poing handshake as a defense
> against cross-protocol attacks is that the *only* defense protecting WebSocket servers
> from attacks over HTTP is the assumed inability of browser-hosted HTTP clients to send
> whatever carries the random nonce, or something that looks sufficiently similar.

Well the ping pong proposal is actually not addressed at cross
protocol concerns.   The ping pong proposal is focused on the supposed
"fast fail" detection of intermediaries that do not support websocket.

With regards to the defence against cross protocol attacks, the only
change of substance that I have suggested is the removal of the space
counting and random character injection in the keys transmitted.   I
have suggested that the hashed response is carried in a websocket ping
rather than as unframed data, but I do believe that changes the
security nature of the issue (as any server that allowed the injection
of 16 random unframed bytes would surely also allow the injection of a
valid ping frame containing those bytes).

Thus the ping pong proposal carries essentially the same protection
against cross protocol attacks as the current handshake:

1) Standard in browser HTTP mechanisms are unable to generate the Sec- headers
2) The nonce is generated after the Websocket object is created - and
changing it's encoding from char injected space divided strings to hex
makes no difference.
3) Standard clients will be unable to generate the required pong
response, just as they cannot generate the 8 random unframed bytes.


> A potential improvement would be to require the server to produce a random number,
> which is included in the ping and must be in the pong in addition to the hash. In that case,
> an attacker could not queue up the correct pong without looking at the server's response at all.
> But going down this road results in increasingly elaborate schemes, along the lines of the -76 handshake.

Great - a real technical proposal! The pong message is already
required to contain the contents of the ping, so it is already not
possible for a pong message to be simply queued (the attacker has
neither the capability to send the bytes, nor the knowledge of what
they should be).


> It's also likely there are more complicated flaws that we simply haven't thought of yet. I don't think we can
> stake the security of this protocol just on our own ability to think up attacks within a period of only a few weeks.

Where have I suggested that we adopt the whack-a-mole approach of
dealing with only specific known attacks.

I've have been talking about general capabilities that an attacker may
have (eg what kind of bytes sequences they can generate on the wire)
plus the general limitations on what an attacker may know (eg
predicting nonce values, access to cookies etc.).     We then have to
evaluate if the presence of websocket in a browser or server gives an
attacker any additional capabilities or any additional knowledge that
may contribute to any kind of attack.

It is not sufficient to simply say that cross protocol is really
complex and scary an that any attempt to remove the space counting
from the handshake is bound to open up a whole range of unknown and
unforeseeable  security problems.


> As I have thought about these issues, I am increasingly convinced that an NPN-style solution is much more robust.

Indeed it is, and I fully support efforts to standardize that as
another way to establish websocket connections.

Meanwhile we have some real proposals to establish websocket
connections via a HTTP upgrade.  Can we please discuss this and the
security implications of it.  If we are unable to come up with a
reasoned and explicable security model for websocket, then the IETF
processes will not allow any of our proposals progress.

v2.23.0 | Report a Bug | By Email