IETF Logo Mail Archive

Re: [hybi] Insight you need to know: Browsers are at fault when servers crash

Adam Barth <ietf@adambarth.com> Mon, 26 July 2010 07:39 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C9563A69D2 for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 00:39:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.66
X-Spam-Level:
X-Spam-Status: No, score=-1.66 tagged_above=-999 required=5 tests=[AWL=0.317, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JD0CpGBXW3n for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 00:39:23 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 2B7063A687D for <hybi@ietf.org>; Mon, 26 Jul 2010 00:39:23 -0700 (PDT)
Received: by iwn38 with SMTP id 38so2766389iwn.31 for <hybi@ietf.org>; Mon, 26 Jul 2010 00:39:44 -0700 (PDT)
Received: by 10.231.146.134 with SMTP id h6mr8100306ibv.170.1280129983825; Mon, 26 Jul 2010 00:39:43 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id e8sm3410186ibb.14.2010.07.26.00.39.42 (version=SSLv3 cipher=RC4-MD5); Mon, 26 Jul 2010 00:39:42 -0700 (PDT)
Received: by iwn38 with SMTP id 38so2766363iwn.31 for <hybi@ietf.org>; Mon, 26 Jul 2010 00:39:42 -0700 (PDT)
Received: by 10.231.190.132 with SMTP id di4mr8212163ibb.78.1280129982186; Mon, 26 Jul 2010 00:39:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.79.85 with HTTP; Mon, 26 Jul 2010 00:39:22 -0700 (PDT)
In-Reply-To: <FA3856A4-FF29-430E-8BE4-3049F1E33A03@apple.com>
References: <AANLkTilfxps1wWjFrwrH_3Js6Q9E331AMKFRNHfeHcdL@mail.gmail.com> <AANLkTi=vPAnnK0=gE=YN10vt9b-f6sWXXcwK+La5SriO@mail.gmail.com> <623C6D70-B4AF-49EC-BA07-6F90BD0FFFBF@apple.com> <AANLkTi=Q-PVrdaWuOu3H=wUiphe6JB4C+LauSOXKozoY@mail.gmail.com> <AANLkTi=Z-Zw3gJAdwQMAqG5UUVnV_kgsGm3M_qQ2Bwt7@mail.gmail.com> <8B47440C-7CFD-442F-94E3-96A8EBE7D25D@apple.com> <AANLkTimRo_ubic96z3VgwexiOw0KJg10HQedmcuBs6jp@mail.gmail.com> <FA3856A4-FF29-430E-8BE4-3049F1E33A03@apple.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 26 Jul 2010 09:39:22 +0200
Message-ID: <AANLkTim14YJgikfeU9k84xMqtcFt0cdqJQZcsNmvt-Eo@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] Insight you need to know: Browsers are at fault when servers crash
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 07:39:24 -0000

On Mon, Jul 26, 2010 at 7:15 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> On Jul 25, 2010, at 10:12 PM, John Tamplin wrote:
> On Mon, Jul 26, 2010 at 1:03 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>> I think the idea here would be to use encryption solely to prevent the
>> attacker from predicting either input or output bytes - in effect to
>> scramble the bits, rather than to provide confidentiality.
>
> Ineffective encryption doesn't really pose a barrier to producing plain text
> to produce a desired cipher text.  Maybe if the key can't be controlled by
> the attacker and varies on each packet, but it still seems like you are
> playing with fire to say you don't have to use a secure encryption method to
> prevent this.
>
> Let's see the details of Adam's idea before we discuss further.

Sorry, I'm slightly distracted at the IETF meeting in Maastricht at
the moment.  Here's the main idea.

Mike wanted to know if there was any way to avoid the round-trip in
the current handshake (I think he views round-trips as quite
expensive).  That leaves us with the following requirements:

1) Zero round trips.
2) We can't send attacker-controlled bytes to the server before the
server proves it understands web sockets.

So how can we start sending content before hearing back from the
server?  The idea is to encrypt the bytes using a key that a WebSocket
server can derive but that look uniformly at random to a non-WebSocket
server.  The easiest way to do this is for the client to send the
server a nonce and then for the client and server to hash that nonce
with a GUID that identifies the WebSocket protocol to generate an
encryption key.  You can then encrypt the attacker's content using
that key (e.g., using AES, RC4, or whatever you like).

Now, I should say this give slightly weaker security properties than a
handshake that waits for the server to opt-in.  For example, if the
server falls over (or generates print jobs) when it receives random
bytes, then we'll still get in trouble, but limiting the attacker to
random bytes reduce the attack surface significantly.  It's probably
also a good idea to limit how much data we're willing to send before
hearing back from the server, but this idea allows some flexibility
beyond zero.

There isn't really any dependency between the format of the handshake
and this trick for saving the round-trip.  You can build the entire
handshake using this idea so that the server only receives
random-looking bytes, but, as Maciej mentions, that makes it difficult
to share with an HTTP server.  You can also this this idea at the end
of an HTTP-like handshake to get started sending data without waiting
for the server to reply.

Adam

v2.23.0 | Report a Bug | By Email