IETF Logo Mail Archive

Re: [hybi] Insight you need to know: Browsers are at fault when servers crash

"Thomson, Martin" <Martin.Thomson@andrew.com> Tue, 27 July 2010 06:00 UTC

Return-Path: <Martin.Thomson@andrew.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 364093A67F9 for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 23:00:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.26
X-Spam-Level:
X-Spam-Status: No, score=-3.26 tagged_above=-999 required=5 tests=[AWL=-0.661, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDNriF-CqZ1M for <hybi@core3.amsl.com>; Mon, 26 Jul 2010 23:00:09 -0700 (PDT)
Received: from csmailgw1.commscope.com (csmailgw1.commscope.com [198.135.207.244]) by core3.amsl.com (Postfix) with ESMTP id D58D23A686B for <hybi@ietf.org>; Mon, 26 Jul 2010 23:00:08 -0700 (PDT)
Received: from [10.86.20.103] ([10.86.20.103]:7792 "EHLO ACDCE7HC2.commscope.com") by csmailgw1.commscope.com with ESMTP id S28702355Ab0G0GA3 (ORCPT <rfc822; hybi@ietf.org>); Tue, 27 Jul 2010 01:00:29 -0500
Received: from SISPE7HC1.commscope.com (10.97.4.12) by ACDCE7HC2.commscope.com (10.86.20.103) with Microsoft SMTP Server (TLS) id 8.1.436.0; Tue, 27 Jul 2010 00:58:41 -0500
Received: from SISPE7MB1.commscope.com ([fe80::9d82:a492:85e3:a293]) by SISPE7HC1.commscope.com ([fe80::8a9:4724:f6bb:3cdf%10]) with mapi; Tue, 27 Jul 2010 13:58:39 +0800
From: "Thomson, Martin" <Martin.Thomson@andrew.com>
To: Scott Ferguson <ferg@caucho.com>, Maciej Stachowiak <mjs@apple.com>
Date: Tue, 27 Jul 2010 13:57:39 +0800
Thread-Topic: [hybi] Insight you need to know: Browsers are at fault when servers crash
Thread-Index: Acss+f0HpEXMf34fTZW+cdXSlRMKVQATHvlQ
Message-ID: <8B0A9FCBB9832F43971E38010638454F03EB773703@SISPE7MB1.commscope.com>
References: <AANLkTilfxps1wWjFrwrH_3Js6Q9E331AMKFRNHfeHcdL@mail.gmail.com> <AANLkTi=vPAnnK0=gE=YN10vt9b-f6sWXXcwK+La5SriO@mail.gmail.com> <623C6D70-B4AF-49EC-BA07-6F90BD0FFFBF@apple.com> <AANLkTi=Q-PVrdaWuOu3H=wUiphe6JB4C+LauSOXKozoY@mail.gmail.com> <AANLkTi=Z-Zw3gJAdwQMAqG5UUVnV_kgsGm3M_qQ2Bwt7@mail.gmail.com> <8B47440C-7CFD-442F-94E3-96A8EBE7D25D@apple.com> <AANLkTimRo_ubic96z3VgwexiOw0KJg10HQedmcuBs6jp@mail.gmail.com> <FA3856A4-FF29-430E-8BE4-3049F1E33A03@apple.com> <AANLkTim14YJgikfeU9k84xMqtcFt0cdqJQZcsNmvt-Eo@mail.gmail.com> <1453160A-6353-4720-88BA-43D17038B4A7@apple.com> <AANLkTimT+mNXBoQO5L11_ibv645u8Se5K+GBhP9vKXmj@mail.gmail.com> <25137069-5C6D-4171-873D-65F9925077A8@apple.com> <AANLkTin1PBskrUYFeOYzexwZOe++WSOCiSRbp6_RDCsh@mail.gmail.com> <E15FFECE-32B6-49CB-B2D0-5D536A309523@apple.com> <4C4DDD72.1070307@caucho.com>
In-Reply-To: <4C4DDD72.1070307@caucho.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-BCN: Meridius 1000 Version 3.4 on csmailgw1.commscope.com
X-BCN-Sender: Martin.Thomson@andrew.com
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Insight you need to know: Browsers are at fault when servers crash
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2010 06:00:16 -0000

Is it also possible that the client can be validated by virtue of it providing and using the nonce?

Given the nature of the protocol, the same key can be used to "randomize" the stream in both directions after the handshake.

This reduces the problem to the one where an attacker coerces the client into providing such a nonce (or having it appear so).  That requires control over the key parts of the handshake.

--Martin

p.s. This problem really needs a concrete mechanism at this stage.  Even an example or two might help.

> -----Original Message-----
> From: hybi-bounces@ietf.org [mailto:hybi-bounces@ietf.org] On Behalf Of
> Scott Ferguson
> Sent: Monday, 26 July 2010 9:10 PM
> To: Maciej Stachowiak
> Cc: hybi@ietf.org
> Subject: Re: [hybi] Insight you need to know: Browsers are at fault
> when servers crash
> 
> Maciej Stachowiak wrote:
> > The difficulty is that the computation has to validate the HTTP-level
> handshake, looking at elements that cannot easily be forged, or it
> suffers from the same problem I described above. If it is derived
> solely from portions of the request that could be attacker-controlled,
> then it is predictable to the attacker, so using it as part of the
> crypto key for the body is no obstacle to injecting chosen plaintext.
> >
> But there are two separate validations: validating the client and
> validating the server. The same computation doesn't validate both at
> once. (It can't validate both at once, because the client validates the
> server but the server validates the client.)
> 
> Your proposed attack is the client-validation problem: is the client a
> real websocket client? (where the server is a websocket server.)
> 
> Adam's proposal is for the server-validation problem: is the server a
> real websocket server? (where the client is a websocket client.) It
> doesn't address the client-validation problem.
> 
> But it's not a flaw in Adam's proposal that it doesn't address the
> client-validation problem. It would only be a flaw if the attack showed
> a weakness in solving the server-validation problem.
> 
> (Just to be clear, it's not possible to have both issues in the same
> attack, because a non-websocket client talking to a non-websocket
> server
> isn't our problem.)
> > This means we'd need something with similar complexity to the current
> handshake, except we'd have the benefit that the first client -->
> server message can save a round trip.
> >
> The client-validation problem could be solved if there are elements in
> the initial request that cannot be forged, as you pointed out. For
> example, if the HTTP method cannot be forged, changing the HTTP method
> to something like "WEBSOCKET" would validate the client as a real
> websocket client.
> 
> If the entire request can be forged by a non-web-socket client, then
> you
> do need a second client response to the server's initial response. If
> the entire request can be forged, the server needs to send a random
> nonce and force the client to compute a hash to prove the client is a
> real client.
> 
> -- Scott
> > On the other hand, using your scheme straight-up without a prior HTTP
> header is probably safe without any additional rigidity.
> >
> > Regards,
> > Maciej
> >
> > _______________________________________________
> > hybi mailing list
> > hybi@ietf.org
> > https://www.ietf.org/mailman/listinfo/hybi
> >
> >
> >
> >
> 
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi

v2.23.0 | Report a Bug | By Email