IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Mon, 27 September 2010 01:35 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B4D2F3A6C25 for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 18:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.737
X-Spam-Level:
X-Spam-Status: No, score=-0.737 tagged_above=-999 required=5 tests=[AWL=-1.360, BAYES_50=0.001, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3YoprDmeVxve for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 18:35:32 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id 15A363A6C24 for <hybi@ietf.org>; Sun, 26 Sep 2010 18:35:32 -0700 (PDT)
Received: by qyk2 with SMTP id 2so5213658qyk.10 for <hybi@ietf.org>; Sun, 26 Sep 2010 18:36:09 -0700 (PDT)
Received: by 10.220.62.204 with SMTP id y12mr1986381vch.110.1285551369469; Sun, 26 Sep 2010 18:36:09 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id f34sm275261vcs.7.2010.09.26.18.36.08 (version=SSLv3 cipher=RC4-MD5); Sun, 26 Sep 2010 18:36:08 -0700 (PDT)
Received: by iwn3 with SMTP id 3so5017012iwn.31 for <hybi@ietf.org>; Sun, 26 Sep 2010 18:36:07 -0700 (PDT)
Received: by 10.231.151.135 with SMTP id c7mr8046373ibw.184.1285551367001; Sun, 26 Sep 2010 18:36:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Sun, 26 Sep 2010 18:35:36 -0700 (PDT)
In-Reply-To: <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sun, 26 Sep 2010 18:35:36 -0700
Message-ID: <AANLkTikfYOCOm_+g3=QCTFOCo=rYsj8WpX8AS65qgkPm@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 01:35:36 -0000

On Sun, Sep 26, 2010 at 6:22 PM, Greg Wilkins <gregw@webtide.com> wrote:
> 2010/9/27 Maciej Stachowiak <mjs@apple.com>:
>> Here is an email from February where I summarized some of the risks from
>> cross-protocol attacks for WebSocket:
>
> thanks for the reference, but I didn't and still don't fully
> understand the actual risk posed by those descriptions and that we are
> still shadow boxing against perceived rather than real threats.
>
>> 1) Hostile JavaScript could use WebSocket for a cross-protocol attack against
>> vanilla HTTP resources or non-HTTP servers.
>> If the attacker can trick a non-WebSocket server into echoing back chosen text (for
>> example through something in the URL part of the request), then they could make
>> it give what appears to be a valid WebSocket handshake response. This could result
>> in unauthorized access.
>
> I don't understand "unauthorized access" in this context.   If a
> server, HTTP or otherwise want to protect it's content, then it needs
> to have both authentication and authorization, which typically means
> that the client will possess some credentials that the server must
> check.

Browser also protect intranet servers which use connectivity as their
sole means of authentication/authorization.

> If the server does not protect its resources or the
> attacker already has access to credentials (or can trick the
> browser/user into providing credentials), then the easiest way to
> access a non-websocket server would be with existing HTTP mechanisms
> in the browser.

The existing HTTP mechanisms exposed to untrusted content in browser
already respects these security invariants.  In adding new network
APIs, browser wish to continue to maintain these invariants.

> Is there anything about WS that would make a vulnerable HTTP server
> easier to exploit than just using the existing HTTP mechanisms
> available in the browser?

Potentially, yes.  That's why we have to worry about these issues in
designing the handshake.

> ie are there any exploit HTTP requests that
> can be generated using the WS client that could not be generated
> anyway?

Not if we correctly secure the WS protocol handshake against these threats.

>> 2) Cross-site XMLHttpRequest (using CORS or XDomainRequest) could be used for a
>> cross-protocol attack against WebSocket resources, potentially violating integrity (though not confidentiality).
>>
>> The WebSocket protocol currently does not require any checking of the client handshake. However, any
>> WebSocket server that performs any side effects in response to messages from the client has a security
>> vulnerability if it does not check correctness of the handshake request from the client.
>
> I think that any server that "performs any side effects in response to
> messages from the client" will have a security vulnerability if they
> do not correctly check the authentication and authorization of the
> client.

This is not an accurate understanding of the security invariants
browsers seek to maintain.

> Eventually most browsers will have WS available to the
> javascript, so a server that is so vulnerable will be able to be
> exploited just with WS instead of trying to trick HTTP.

Browser seek to protect servers that have never heard of WebSockets
and have no interest in these newer technologies.  From that
perspective, it's important to compare the security invariants of the
browser before and after introducing WebSockets.  We need to study any
change in these invariants to make sure they don't introduce security
vulnerabilities in existing servers.  This is a prerequisite for
exposing the WebSocket API to untrusted content in the browser.

> The read question should be - are there any WS
> authentication/authorization mechanisms that can be subverted by using
> a HTTP mechanism instead of a the WS API?

That's part of the question.

> I still think that we should take reasonable measures to prevent cross
> protocol handshakes - even if there are no identified real security
> issues.

Instead of playing "whack a mole" against the cross-protocol attacks
we can think of today, we should design the protocol such that we have
reasonable assurance that we won't discover cross-protocol attacks
tomorrow.  The WebSocket protocol is going to be with us for a long
time.  These attacks are subtle and take years to flush out of a
shoddy design.

> But I think that the usage of Sec- headers and a simple nonce
> will give very good protection and that we only need do more if there
> is a real clearly identified risk.

With all due respect, I'm not convinced you have a strong enough
handle on the required security properties to make such a bold claim.

Adam

v2.23.0 | Report a Bug | By Email