Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

Greg Wilkins <gregw@webtide.com> Sat, 27 November 2010 00:54 UTC

Return-Path: <gregw@intalio.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC3BA28C134 for <hybi@core3.amsl.com>; Fri, 26 Nov 2010 16:54:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.582
X-Spam-Level:
X-Spam-Status: No, score=-0.582 tagged_above=-999 required=5 tests=[AWL=-1.020, BAYES_40=-0.185, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEWNGjb0sfAq for <hybi@core3.amsl.com>; Fri, 26 Nov 2010 16:54:48 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 3555C3A6A64 for <hybi@ietf.org>; Fri, 26 Nov 2010 16:54:47 -0800 (PST)
Received: by qwg5 with SMTP id 5so1322710qwg.31 for <hybi@ietf.org>; Fri, 26 Nov 2010 16:55:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.224.174.8 with SMTP id r8mr2455562qaz.332.1290819351919; Fri, 26 Nov 2010 16:55:51 -0800 (PST)
Sender: gregw@intalio.com
Received: by 10.220.167.203 with HTTP; Fri, 26 Nov 2010 16:55:51 -0800 (PST)
In-Reply-To: <AANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com>
References: <AANLkTim_8g-Cb01si00EkvCK5BtXUx3zHsUee1F6JqsD@mail.gmail.com>
Date: Sat, 27 Nov 2010 11:55:51 +1100
X-Google-Sender-Auth: lXSt-KOPPYCX6JwH8A66PSuRTak
Message-ID: <AANLkTimSu1fOGCg0gqX2EFh4v-MkpZuY_-onm3+TO_Z0@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: multipart/alternative; boundary="00248c1767b4f0bbf50495fe4c12"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Nov 2010 12:59:45 -0000

Adam,

on the whole, your paper looks like excellent work and I think you have
discovered a existing vulnerability  which obviously needs to be fixed.

With regards to websocket, your paper says:
  " Our advertisement contains a SWF which performs the WebSocket handshake,
spoofs an HTTP request upon handshake success,..."

Was the spoofed HTTP request framed as a websocket frame?

Would it be possible for you to repeat the experiment, but with the framing
changes proposed to make WS frames less likely to be interpreted as HTTP (ie
flipping the sense of the more bit). Also it would be interesting to see if
the exchange of HELLO frames after the handshake had an effect on
transparent proxies.

regards





On 27 November 2010 10:48, Adam Barth <ietf@adambarth.com> wrote:

> David Huang, Eric Chen, Eric Rescorla, Collin Jackson, and I have been
> experimenting with the security of the Upgrade-based and CONNECT-based
> WebSocket handshakes.  Please find a paper detailing our findings at
> this location:
>
> http://www.adambarth.com/experimental/websocket.pdf
>
> == Summary ==
>
> The Upgrade-based handshake is vulnerable to attack in network
> configurations involving transparent (or intercepting) proxies.  The
> core issue is that some number of transparent proxies do not
> understand the HTTP Upgrade mechanism and therefore don't understand
> that the remaining bytes sent by the attacker on the socket are not
> HTTP.  These proxies treat these bytes as subsequent HTTP requests,
> letting the attacker either circumvent firewalls or, worse, poison the
> proxy's HTTP cache (depending on how the proxy is configured).  Please
> see the paper for details about how these attacks work.
>
> To demonstrate that these attacks work in practice and to estimate how
> many users are vulnerable to attack, we ran an experiment on the
> Internet using a rich-media advertisement.  We found that for a $100,
> we were able to poison the cache of 8 users by using the Upgrade-based
> handshake.  When the attacker is able to poison the proxy's cache in
> this way, the attacker can exploit /every/ user of the cache, with
> potentially dangerous consequences.  For example, the attacker can
> poison the proxy's cache entry for
> http://www.google-analytics.com/ga.js and inject JavaScript into
> approximately 57% of the top 10,000 web sites.
>
> We attempted to mount the same class of attack against the
> CONNECT-based handshake.  We were unable to poison any proxy caches
> when using the CONNECT-based handshake.  Based on the data we've
> collected, vastly most proxies appear to understand the semantics of
> CONNECT requests than understand the semantics of the Upgrade
> mechanism.  This is consistent with our prior beliefs because CONNECT
> is widely used on the Internet to tunnel TLS through proxies whereas
> Upgrade is used rarely.
>
> == Recommendation ==
>
> We recommend that the working group adopt the CONNECT-based handshake
> described in draft-abarth-websocket-handshake rather than an
> Upgrade-based handshake.  Empirically speaking, the CONNECT-based
> handshake avoids the real-world attacks we have demonstrated against
> Upgrade-based handshakes, requires no more round trips, success
> approximately as often, and complies with HTTP.
>
> Kind regards,
> Adam
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>