IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Maciej Stachowiak <mjs@apple.com> Tue, 12 October 2010 02:13 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BE7E3A68B3 for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 19:13:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.781
X-Spam-Level:
X-Spam-Status: No, score=-105.781 tagged_above=-999 required=5 tests=[AWL=0.218, BAYES_00=-2.599, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hOqRD3B6lA6 for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 19:13:01 -0700 (PDT)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id B1D9A3A68B1 for <hybi@ietf.org>; Mon, 11 Oct 2010 19:13:01 -0700 (PDT)
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out4.apple.com (Postfix) with ESMTP id E9324B550386 for <hybi@ietf.org>; Mon, 11 Oct 2010 19:14:14 -0700 (PDT)
X-AuditID: 11807134-b7c05ae000002d5d-e3-4cb3c476c298
Received: from et.apple.com (et.apple.com [17.151.62.12]) by relay14.apple.com (Apple SCV relay) with SMTP id E9.F5.11613.674C3BC4; Mon, 11 Oct 2010 19:14:14 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [10.0.1.14] ([69.181.196.33]) by et.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0LA5002YQNJQAO10@et.apple.com> for hybi@ietf.org; Mon, 11 Oct 2010 19:14:14 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <4CB3A502.9010305@caucho.com>
Date: Mon, 11 Oct 2010 19:14:13 -0700
Message-id: <9390A705-6214-43D0-A62E-B3B6A9779EE0@apple.com>
References: <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com> <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de> <4CAFB9C4.6030905@caucho.com> <AANLkTinv5Ym5jwUEqS76z3UkVa7GpmOBT_WXhBbFK0-m@mail.gmail.com> <20101009055723.GL4712@1wt.eu> <AANLkTimY2DjxgZybibSRtc7L34Wns2KhQC=Wa9K6PYku@mail.gmail.com> <20101009204009.GP4712@1wt.eu> <AANLkTi=Az0RmE1Uipo068zMh3YzgMpM2tQ+zYxaDT47A@mail.gmail.com> <20101011053354.GA12672@1wt.eu> <4CB2D7BD.1070004@opera.com> <9B9FA451-5551-4434-8EC1-BAC834FB9A61@apple.com> <AANLkTimDc_aqRTtgRpMKhdhk6x+vPGyOPvU3A=6mK9S7@mail.gmail.com> <4CB3373C.5050507@opera.com> <4CB3A502.9010305@caucho.com>
To: Scott Ferguson <ferg@caucho.com>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2010 02:13:03 -0000

On Oct 11, 2010, at 5:00 PM, Scott Ferguson wrote:

> James Graham wrote:
>> On 10/11/2010 02:28 PM, Greg Wilkins wrote:
>>> 
>> 
>> So there is an underlying issue here that I don't understand. It seems clear to me that Adam and Eric's proposed handshake has a better security story with regard to cross-protocol attacks than -75, -76, or any other proposal other than using NPN with TLS. However there seem to be a number of people who have problems with this proposed handshake to the extent that they are prepared to forgo the security properties in order to get something different. In general people seem to be aware that they are making the security weaker since the arguments are mostly about how different approaches will probably be good enough in practice even though they are theoretically inferior.
>> 
>> What I haven't followed is what the problems with the proposal actually are. I understand that I have likely missed these in other messages, but it would be helpful if people who believe that the proposed approach, or aspects of it, are unworkable could summarise the outstanding issues they see.
> 
> Some of the problems with the proposal:
> 
> 1. auditing - the proposal takes away the capability to audit requests after an attack. Remember, cross-protocol is not the only kind of attack. Server admins will want to track down access logs to find the problem, but the proposal makes these request log opaque to the server admins.

It doesn't take away that capability - just means a WebSocket aware server needs some additional logging code.

> 2. authorization - since the proposal no longer uses URL/method and specifically doesn't use a unique WEBSOCKET method, existing security systems in existing servers cannot be used. (<Limit>, .htaccess, etc.)

For servers that are not modified to be aware of WebSocket, this is true, but probably not very relevant since WebSocket connection attempts will fail. For servers that are updated to support WebSocket, that doesn't have to be true.

> 
> 3. incompatibility with existing host/application dispatch models. In existing servers, the URL/host are used to dispatch to the server before processing. This proposal upends that model, requiring WebSocket to be dispatched before knowing the target resource.

Adam's revised design allows for this, but it would require servers to be updated to decrypt the extra URL and host fields, after which they could be passed through the ordinary dispatch logic.

> 
> 4. performance - the proposal requires encryption of the entire data stream. That's not cheap on the server side.

If AES-128-CR is too computationally expensive (and I really doubt it is), the proposal works fine with simpler ciphers. However, I believe modern server-class hardware can do streaming AES-128 at a rate that would significantly outpace even the fastest network hardware, so I would be skeptical that this is going to be the bottleneck absent some data.

I'm pretty convinced that encrypting the message payload, even if not the handshake header, is pretty much essential, even if it is only dumb encryption like XOR with the key. There is almost no downside and it greatly reduces the attack surface.

> 
> To justify these security, performance, and management penalties, the proposal proposes an attack which requires the target machine to run an attacker program, assumes the target web server is under the control of the attacker, and assumes the target application has an additional open security hole to non-browser clients.

I would put it another way. It replaces security-by-coincidence with a provable invariant. Instead of having to bet that no WebSocket stream will ever happen to look like an understandable part of another protocol, you make sure an attacker using WebSocket can only send a fixed prelude plus what will seem to be random bytes, and a WebSocket service being attacked with HTTP will only see random bytes after decrypting.

Also, the Adam+Eric proposal actually has a significant performance advantage over Greg's proposed handshake, namely fewer round trips. Even if this effect does not dominate today (and I suspect it does), cpu speed grows much faster than network latency shrinks.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email