IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Wed, 06 October 2010 01:40 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 066423A6C73 for <hybi@core3.amsl.com>; Tue, 5 Oct 2010 18:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[AWL=-0.022, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXUeyWbJlWFQ for <hybi@core3.amsl.com>; Tue, 5 Oct 2010 18:40:54 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id C589B3A70D9 for <hybi@ietf.org>; Tue, 5 Oct 2010 18:40:20 -0700 (PDT)
Received: by qwc9 with SMTP id 9so4709215qwc.31 for <hybi@ietf.org>; Tue, 05 Oct 2010 18:41:12 -0700 (PDT)
Received: by 10.220.190.1 with SMTP id dg1mr476274vcb.260.1286329272146; Tue, 05 Oct 2010 18:41:12 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id r35sm330817vbw.7.2010.10.05.18.41.11 (version=SSLv3 cipher=RC4-MD5); Tue, 05 Oct 2010 18:41:11 -0700 (PDT)
Received: by iwn3 with SMTP id 3so10771653iwn.31 for <hybi@ietf.org>; Tue, 05 Oct 2010 18:41:10 -0700 (PDT)
Received: by 10.231.161.68 with SMTP id q4mr13122689ibx.79.1286329269876; Tue, 05 Oct 2010 18:41:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Tue, 5 Oct 2010 18:40:39 -0700 (PDT)
In-Reply-To: <4CABD11F.3060500@caucho.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 05 Oct 2010 18:40:39 -0700
Message-ID: <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2010 01:40:55 -0000

On Tue, Oct 5, 2010 at 6:30 PM, Scott Ferguson <ferg@caucho.com> wrote:
> Adam Barth wrote:
>> On Tue, Oct 5, 2010 at 6:08 PM, Scott Ferguson <ferg@caucho.com> wrote:
>>> Adam Barth wrote:
>>> If you assume the hijacker has control of a DNS server to act as a proxy,
>>> you may as well assume he has control of an actual WebSocket server to
>>> act
>>> as a proxy.
>>>
>>
>> Huh?  That doesn't make any sense.  If you run a stock DNS server, it
>> will proxy lots of information from authoritative DNS servers around
>> the world.  That's the whole point of DNS.
>>
>
> C1: Browser at 192.168.1.10 makes TCP websocket connection with local port
> 8888 to DNS server 10.0.0.1.
>
> S2: DNS server returns DNS response to 192.168.1.10:8888 which contains
> H(c-nonce, "WebSocket") somewhere in the payload
>
> C3: Browser notices that DNS reponse does not have the same syntax as a
> WebSocket  response, and closes the connection.
>
> How is this an attack?

The claim was that the presence of H(c-nonce, "WebSocket") in the
payload was sufficient to prove that the respondent understood what
was going on.  Notice that in this example, you're also relying upon
the rigidity of the bytes surrounding the HMAC for security, which
proves my point: the HMAC alone is insufficient.

In any case, I'd encourage you to thinking about this proposal instead:

http://www.ietf.org/mail-archive/web/hybi/current/msg04285.html

Adam

v2.23.0 | Report a Bug | By Email