IETF Logo Mail Archive

Re: [hybi] Review of draft-ietf-hybi-thewebsocketprotocol-13

"Richard L. Barnes" <rbarnes@bbn.com> Tue, 06 September 2011 21:50 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2618121F8F32; Tue, 6 Sep 2011 14:50:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.548
X-Spam-Level:
X-Spam-Status: No, score=-106.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3tMjX99rIQi; Tue, 6 Sep 2011 14:50:40 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 94FF521F8DBB; Tue, 6 Sep 2011 14:50:40 -0700 (PDT)
Received: from ros-dhcp192-1-51-76.bbn.com ([192.1.51.76]:63862) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1R13ZD-00048s-Uz; Tue, 06 Sep 2011 17:52:28 -0400
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <4E668E57.4060609@isode.com>
Date: Tue, 06 Sep 2011 17:52:27 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <13036DC3-0A0E-42EA-916C-DF667F6634B9@bbn.com>
References: <942CCA6B-B784-441B-96CA-3506FFC439E1@bbn.com> <4E620046.2000400@isode.com> <E566DD99-64E5-47DF-A24C-3AA4E2EA20CA@bbn.com> <4E668E57.4060609@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.1084)
Cc: General Area Review Team <gen-art@ietf.org>, hybi@ietf.org
Subject: Re: [hybi] Review of draft-ietf-hybi-thewebsocketprotocol-13
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 21:50:41 -0000

>>>> While the "MAY" doesn't specify a requirement, it seems like it would be helpful to implementers in light of the exhaustion/DoS possibilities presented by huge frames and fragmentation.  I would even argue that it should be a "SHOULD".
>>>>     
>>> I am Ok with changing MAY to SHOULD.
>>>   
>> 
>> I'm assuming from your response below that you're OK with going to MUST as well?
>> 
> I don't think it makes much difference here, SHOULD is strong enough. But I can make it a MUST if you insist.

I was just thinking "MUST" because I couldn't think of an exception case.  It's up to you.


>>>> Section 10.3, "It is also necessary that once the transmission of a frame from a client has begun, the payload (application supplied data) of that frame must not be capable of being modified by the application."
>>>> This seems to further argue against the idea that giant frames are useful.
>>>>     
>>> Yes.
>>>   
>>>> They're clearly not useful for streaming (the opposite is suggested in Section 5.4, see above), since the application would have to provide all the data at once.  Section 10.3
>>>> This section should note that even given the masking constraints in this document, proxies are still vulnerable to poisoning by non-browser clients that do not perform masking.    
>> 
>> Suggested text:
>> "
>> Despite the protection provided by masking, non-compliant HTTP proxies will still be vulnerable to poisoning attacks of this type by clients and servers that do not apply masking.
>> "
>> 
> Ok.
> Note that that is not quite correct is masking is not optional for clients, but this is still under discussion.

Regardless of what this protocol does, the vulnerability will still be there, and you can still exploit it, e.g., with the code that was used in the experiment.  It's also not completely unimaginable that someone would make an implementation with configurable masking, if only to re-use framing code between client and server.


>>>> Section 10.4
>>>> Suggest making this a "SHOULD" or even "MUST".  If your implementation does not constrain these things, then it will be vulnerable to exhaustion attacks.      
>>> Ok.
>>>   
>> 
>> So you're changing this to MUST?
>> 
> Ok :-).

Ok!

v2.23.0 | Report a Bug | By Email