IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Maciej Stachowiak <mjs@apple.com> Tue, 28 September 2010 05:26 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE6823A6B2C for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 22:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.685
X-Spam-Level:
X-Spam-Status: No, score=-106.685 tagged_above=-999 required=5 tests=[AWL=-0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8W7jYW+nDia7 for <hybi@core3.amsl.com>; Mon, 27 Sep 2010 22:26:16 -0700 (PDT)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 44A9E3A69F2 for <hybi@ietf.org>; Mon, 27 Sep 2010 22:26:16 -0700 (PDT)
Received: from relay15.apple.com (relay15.apple.com [17.128.113.54]) by mail-out3.apple.com (Postfix) with ESMTP id D9A91AB9C72B for <hybi@ietf.org>; Mon, 27 Sep 2010 22:26:56 -0700 (PDT)
X-AuditID: 11807136-b7b3eae0000066cf-de-4ca17ca04c49
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay15.apple.com (Apple SCV relay) with SMTP id 53.15.26319.0AC71AC4; Mon, 27 Sep 2010 22:26:56 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.102.217] by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L9F00J8XZ4WCL60@gertie.apple.com> for hybi@ietf.org; Mon, 27 Sep 2010 22:26:56 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <4CA0D0D2.4040006@caucho.com>
Date: Mon, 27 Sep 2010 22:26:56 -0700
Message-id: <F1C112EC-28AB-4CE2-9208-2517077E5EC2@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com>
To: Scott Ferguson <ferg@caucho.com>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Sep 2010 05:26:19 -0000

On Sep 27, 2010, at 10:13 AM, Scott Ferguson wrote:

> Maciej Stachowiak wrote:
>> On Sep 26, 2010, at 6:22 PM, Greg Wilkins wrote:
>> 
>>  
>>> 2010/9/27 Maciej Stachowiak <mjs@apple.com>:
>>>    
>>>> Here is an email from February where I summarized some of the risks from
>>>> cross-protocol attacks for WebSocket:
>>>>      
>>> Maciej,
>>> 
>>> thanks for the reference, but I didn't and still don't fully
>>> understand the actual risk posed by those descriptions and that we are
>>> still shadow boxing against perceived rather than real threats.
>>>    
>> 
>> The reason I am skeptical of your proposed ping-poing handshake as a defense against cross-protocol attacks is that the *only* defense protecting WebSocket servers from attacks over HTTP is the assumed inability of browser-hosted HTTP clients to send whatever carries the random nonce, or something that looks sufficiently similar. Your summary doesn't specify exactly how the nonce is sent, but I'll assume it is using a header that normally cannot be sent via cross-site XHR or similar APIs.
>>  
> 
> Yes, the "ping" packet is missing a hash, which is needed to validate the browser as a websocket browser. Modifying Greg's proposal:
> 
> C1: c-nonce=...
> 
> S2: H(c-nonce, "WebSocket")
>     s-nonce=...
> 
> C3: H(s-nonce, "WebSocket")
> 
> With that modification, the client does not send websocket data until the server has been validated as a websocket server, and the server does not process websocket data until the client has been validated as a websocket client. (There's no need for a S4 "pong" packet since the server is already validated as websocket when the client validates S2.) That protocol is pretty much the minimum required, and doesn't add overhead beyond the current handshake.

Yes, I think that would be stronger in the scenario I describe, but it would be highly vulnerable to a bad RNG on the server, in part because the final authentication of the client does not involve the c-nonce at all.

More generally, I am not 100% confident that this approach will hold up in the long term against novel attacks.

> 
> I'd propose two additional changes that aren't required, strictly speaking, but would be helpful for other security-related reasons:
> 
> 1. Use "WEBSOCKET" instead of "GET" as the HTTP method. This is helpful because it lets validating servers quickly reject websocket requests (e.g. well-behaved HTTP servers), and lets server administrators use existing security frameworks (which are often HTTP method based), to specify websocket security easily. With the current "GET", it's somewhat of a problem for a server administrator to specify a different policy for GET vs websockets.
> 
> 2. Use a new AUTH or HELLO opcode/packet for the C3 hash instead of overloading PING. This would make the packet's purpose clear and give a space for any future challenge-based authentication to put its credentials in a future spec extension. (I'd recommend any authentication extension/C3-payload use HTTP style authentication headers so the extension could just use existing security handshakes.)

#1 seems like an improvement, but #2 doesn't seem to give any security benefit.

> 
>> A potential improvement would be to require the server to produce a random number, which is included in the ping and must be in the pong in addition to the hash. In that case, an attacker could not queue up the correct pong without looking at the server's response at all. But going down this road results in increasingly elaborate schemes, along the lines of the -76 handshake. It's also likely there are more complicated flaws that we simply haven't thought of yet. I don't think we can stake the security of this protocol just on our own ability to think up attacks within a period of only a few weeks.
>>  
> 
> No, it's different from -76, because the properties of the nonce/hash pattern are well known. The flaw with -76 is just what you describe: it's inventing new security patterns and is likely to have complicated flaws. Sticking to a well-known pattern is the right way to go.

Nonce/hash is a well-known mechanism. But I do not believe there is a lot of knowledge on using it as a defense against cross-protocol attacks. Generally it is used as part of a challenge-response mechanism for authentication purposes, but authentication is not the goal here. There is no shared secret or public-private keypair involved.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email