IETF Logo Mail Archive

Re: [hybi] WebSockets

Ian Hickson <ian@hixie.ch> Wed, 01 April 2009 06:46 UTC

Return-Path: <ian@hixie.ch>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B28C23A6BA4 for <hybi@core3.amsl.com>; Tue, 31 Mar 2009 23:46:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.223
X-Spam-Level:
X-Spam-Status: No, score=-2.223 tagged_above=-999 required=5 tests=[AWL=-0.224, BAYES_00=-2.599, J_CHICKENPOX_73=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rnhQQ2+LHcG for <hybi@core3.amsl.com>; Tue, 31 Mar 2009 23:46:16 -0700 (PDT)
Received: from looneymail-a5.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id C8A413A6B30 for <hybi@ietf.org>; Tue, 31 Mar 2009 23:46:16 -0700 (PDT)
Received: from hixie.dreamhostps.com (hixie.dreamhost.com [208.113.210.27]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by looneymail-a5.g.dreamhost.com (Postfix) with ESMTP id 3EBFC121F1A; Tue, 31 Mar 2009 23:47:15 -0700 (PDT)
Date: Wed, 01 Apr 2009 06:47:15 +0000
From: Ian Hickson <ian@hixie.ch>
To: "Roy T. Fielding" <fielding@gbiv.com>
In-Reply-To: <73E288BB-8ED4-4712-A289-6CBF20078274@gbiv.com>
Message-ID: <Pine.LNX.4.62.0904010536340.25058@hixie.dreamhostps.com>
References: <Pine.LNX.4.62.0903302124580.25058@hixie.dreamhostps.com> <BBB4A96C-6101-43C5-AF62-2E242EE64B31@gbiv.com> <Pine.LNX.4.62.0903310201130.25058@hixie.dreamhostps.com> <7B624611-7368-4B5F-B043-C0D96C94E359@gbiv.com> <Pine.LNX.4.62.0903310308470.25058@hixie.dreamhostps.com> <73E288BB-8ED4-4712-A289-6CBF20078274@gbiv.com>
Content-Language: en-GB-hixie
Content-Style-Type: text/css
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: hybi@ietf.org
Subject: Re: [hybi] WebSockets
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2009 06:46:17 -0000

On Tue, 31 Mar 2009, Roy T. Fielding wrote:
> > > >
> > > > Note that the way WebSocket is designed, there's no deliberate 
> > > > fooling; it's a straight up HTTP Upgrade attempt.
> > > 
> > > Not quite.  You can't place constraints on specific ordering of 
> > > bytes within WebSocket and then claim it is HTTP
> > 
> > You're right; my bad. It's not a straight-up HTTP Upgrade attempt. 
> > It's a WebSocket handshake that happens to act like an HTTP Upgrade 
> > attempt in practice. There is indeed deliberate fooling at the 
> > server-side; my point was that there is no deliberate fooling at the 
> > level of security policies.
> > 
> > (The handshake is designed that way so that non-HTTP victim servers 
> > can't be tricked into sending back what looks like a valid response: 
> > we have to have as strict a handshake as possible so that there is as 
> > little room for attacks to maneuver in as possible.)
>
> I think the same goal is accomplished by any valid HTTP/1.1 message.

It seems that the implementation work of checking whether a response is a 
valid HTTP/1.1 message is significantly more complicated than the work of 
determining whether the Web Socket handshake is precisely correct or not.

It also seems far easier to reason about the security aspects of the 
handshake as seen by the servers of other protocols when the handshake is 
a very well-defined series of bytes than when the handshake is an 
open-ended set of possible requests. Similarly, it's a lot less likely 
that an attacker could trick an arbitrary protocol's server into 
outputting the exact sequence of bytes that the Web Socket handshake 
requires than it would be if the handshake consisted of any sequence of 
bytes that matched the HTTP grammar.


> > > However, it could still be used to trigger arbitrary requests by 
> > > intercept proxies that don't understand that the connection has been 
> > > upgraded.
> > 
> > Could you elaborate on this? An example would be very useful.
> 
> I mean that, after the initial constrained Upgrade request is accepted 
> by the server, there is nothing to prevent the WebSocket sender from 
> continuing with a sequence of HTTP requests on the same connection that 
> might be inspected and redirected by an interception proxy (thinking 
> that they are just pipelined normal HTTP requests).

Surely that would be a bug in the proxy.


> > > Alternatively, just use a different port and let the organizations 
> > > decide whether they want to allow such connections through their own 
> > > firewalls.
> > 
> > As designed, WebSocket doesn't default to the HTTP ports. The proposal 
> > has its own port. To use the HTTP ports you have to explicitly 
> > override the default, just like HTTP can be tunnelled over ports other 
> > than port 80.
> 
> In that case, you really are looking for a different protocol rather 
> than just reusing an HTTP connection.

Yes, the Web Socket protocol is its own protocol. Is that not clear in the 
Web Socket Protocol Internet Draft?

The ability to bootstrap using an HTTP connection, Upgrade:ing to 
WebSockets, is optional, and is only intended for advanced users that need 
to reuse the same port for both purposes.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

v2.20.3 | Report a Bug | By Email