IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Fri, 01 October 2010 01:49 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8D3633A6E87 for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 18:49:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.193
X-Spam-Level:
X-Spam-Status: No, score=-2.193 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CnA-htVA2RTs for <hybi@core3.amsl.com>; Thu, 30 Sep 2010 18:49:58 -0700 (PDT)
Received: from smtp112.biz.mail.sp1.yahoo.com (smtp112.biz.mail.sp1.yahoo.com [69.147.92.225]) by core3.amsl.com (Postfix) with SMTP id 3E7FA3A6CB9 for <hybi@ietf.org>; Thu, 30 Sep 2010 18:49:58 -0700 (PDT)
Received: (qmail 3864 invoked from network); 1 Oct 2010 01:50:40 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp112.biz.mail.sp1.yahoo.com with SMTP; 30 Sep 2010 18:50:40 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: hbzPJpgVM1nXgp7rjpUQDbkIDfL9xd4w4l5dJhwarsAtteA hZXPHFSl75XfE5t9hJ1hsu_dcbCh8_KVgbcj47zCmsYflmZ2Bj.8Slmxawem DHphceZjNSU7KF2HmpeabcbeVn_C4Eq1WwmdSHDLQ.RaqoIcWZ6sC_6avOKA CKQ4X34_ijWHztFrPBZIbLAeKxwtj2eoJVaP5zdtaIwjtCBo4ppLeOBiCjAs cwabRnUiBEPVCNnX3GcRnsE92N_3r2benEExMkbL4MHXHM9eATWQzDFI13.m N3KxFQZwtDKTUOPc_ngJOZgiNvsma1XcKBlo_BZZXLLHLvaendMbhQA--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CA53E6B.1040808@caucho.com>
Date: Thu, 30 Sep 2010 18:50:35 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <AANLkTinACqm-GxUPhvFMf6_sGfeJofwy1r=28o=vgM43@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail. com>
In-Reply-To: <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 01:49:59 -0000

Adam Barth wrote:
> On Thu, Sep 30, 2010 at 9:42 AM, Scott Ferguson <ferg@caucho.com> wrote:
>   
>> Maciej Stachowiak wrote:
>>     
>>> On Sep 29, 2010, at 3:28 AM, Greg Wilkins wrote:
>>>       
>>>> On 29 September 2010 18:56, Maciej Stachowiak <mjs@apple.com> wrote:
>>>>         
>>>>> I suspect -76 is not strong enough, but it is slightly stronger in some
>>>>> specific ways. First, by spreading the data across multiple header
>>>>> fields
>>>>> and incorporating whitespace, it makes it slightly trickier to do
>>>>> injection
>>>>> attacks.
>>>>>           
>>>> Why is hex encoding simpler to inject than the space/char injected
>>>> decimal encoding?
>>>>         
>>> Because you can't inject whitespace into the resource name in the request
>>> line.
>>>       
>> Maciej, you're missing the entire point of the hash.  The main purpose of a
>> hash/digest is to detect modification or replacement of a message as in an
>> injection attack. That's what a digest does.
>>     
>
> If that's the purpose of the hash, which elements of the protocol
> defend against cross-protocol attacks?
>   

Ok. I think it's a good idea to step back a bit so we don't get lost in 
the weeds, because the injection discussion is a bit of a distraction.

The two main defenses against the cross protocol attack are:

  1) the client verifies the server as the same protocol before sending 
potentially damaging data ("server validation").

  2) the server verifies the client as the same protocol before 
interpreting potentially damaging data ("client validation").

For 1), server validation, the hash proposal accomplishes server 
validation based on the following:

  a) non-websocket servers will not be in possession of the "WebSocket" 
identifier
  b) c-nonce is not available to or predictable by the hijacker
  c) H(c-nonce, "WebSocket") cannot be produced by the hijacker, i.e. 
the hijacker can't get around its ignorance of (b) by producing a hash 
collision.

On the injection side-issue, as long as the hijacker cannot force a 
collision of the hash, any injection of c-nonce will be detected and 
rejected, because producing a bogus c-nonce will result in a bogus hash 
and therefore a rejection by the client before it sends damaging data.

If we're worried about injection into other parts of the request, like 
the URL, we could include them into the hash, so the client could verify 
that the server received the URL it thinks it sent. (As long as that 
change doesn't enable collisions of the resulting hash function.)

As a side effect, the hash function protects servers that don't 
calculate the hash at all, but that's not a sufficient defense, because 
a future protocol could copy the WebSockets handshake hash functions. 
But that calculation protection and the protection against injection are 
not the critical pieces. It's (a)-(c) that are providing the defense.

For 2), client validation, there are two independent defenses

2.1) "WEBSOCKET" method. If a hijacker cannot produce the "WEBSOCKET_" 
bytes because the browsers restrict HTTP methods, the server can verify 
the client as websocket with the first bytes, with the side effect of 
offering a limited defense for some non-websocket servers against URL 
and header cross-protocol attacks.

2.2) PING/PONG hash.

  a) s-nonce is not available to or predictable by the hijacker
  b) A non-websocket client is not in possession of the "WebSocket" 
identifier
  c) H(s-nonce, "WebSocket") cannot be produced by the hijacker and will 
not be produced by the hijacked non-websocket protocol.

In this case, for (b,c) I'm really thinking of some future non-HTTP 
protocol in the browser. It would be possible for a future protocol to 
follow the lead of WebSocket and use the same PONG hash calculation. But 
that future client will not be in possession of the "WebSocket" bytes. 
It's a bit of overkill for HTTP clients, but I think it would useful to 
handle future protocols.

To repeat the key pieces:

  a) c-nonce must not be available to or predictable by the hijacker
  b) "WebSocket" is not possessed by a non-websocket server
  c) s-nonce must not be available to or predictable by the hijacker
  d) "WebSocket" is not possessed by a non-websocket client
  e) the hashes must not have predictable collisions

  f) this does not protect non-validating servers against URL or HTTP 
header cross-protocol  attacks; its defense is limited to the frame stream.

-- Scott
> Adam
>
>
>
>

v2.23.0 | Report a Bug | By Email