IETF Logo Mail Archive

Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocketprotocol-01.txt

Willy Tarreau <w@1wt.eu> Thu, 02 September 2010 06:15 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 524BB3A6A72 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 23:15:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.694
X-Spam-Level:
X-Spam-Status: No, score=-2.694 tagged_above=-999 required=5 tests=[AWL=-0.651, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Az7ugdvSulPW for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 23:15:58 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id DBEDF3A6A75 for <hybi@ietf.org>; Wed, 1 Sep 2010 23:15:47 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o826GD2j012251; Thu, 2 Sep 2010 08:16:13 +0200
Date: Thu, 02 Sep 2010 08:16:13 +0200
From: Willy Tarreau <w@1wt.eu>
To: Hector Santos <hsantos@isdg.net>
Message-ID: <20100902061613.GK10275@1wt.eu>
References: <20100901224502.0519B3A687C@core3.amsl.com> <AANLkTikP1CF22fL0rBniXmrxEoBAbTNfzP9kyiNA4nbb@mail.gmail.com> <AANLkTi=_1m36ThFZTH_aGE_Unz0KTeexJq_74UGr2j+u@mail.gmail.com> <B68E5323-E259-4D27-BB32-ED86961209FC@gbiv.com> <20100902051929.GD10275@1wt.eu> <4C7F3F21.3000200@isdg.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4C7F3F21.3000200@isdg.net>
User-Agent: Mutt/1.4.2.3i
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Hybi HTTP <hybi@ietf.org>
Subject: Re: [hybi] I-D Action:draft-ietf-hybi-thewebsocketprotocol-01.txt
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 06:15:59 -0000

On Thu, Sep 02, 2010 at 02:07:29AM -0400, Hector Santos wrote:
> Willy Tarreau wrote:
> 
> >I would add that protocol naming and versioning is also an efficient
> >way to protect against cross-protocol attacks, which is regularly
> >brought to the table here... If SMTP required a version on its first
> >line instead of ignoring all unparsable lines, we would not be looking
> >for ways to prevent a web client from sending emails over SMTP through
> >POST requests.
> 
> Speaking with my SMTP developer hat on, I don't follow Willy how this 
> is a problem.
> 
> Many MTA already trap and count unknown commands. If the first command 
> is POST, you can reject the client immediately or prevent it from 
> going into the next state until it issues QUIT or drop the line for 
> excessive out of state commands.

Well, this is precisely a consequence of the problem I talked about. POST
has never been part of the SMTP protocol, and it's because the SMTP
protocol is prone to such attacks that these checks have been added in
implementations. Maybe some updates to the protocol have since been emitted
to suggest this, but I always had the feeling that these protections were
just good implementers' choices in face of a real threat.

Regards,
Willy

v2.23.0 | Report a Bug | By Email