Re: [hybi] Call for interest: multiplexing dedicated for WebSocket
Tobias Oberstein <tobias.oberstein@tavendo.de> Thu, 30 May 2013 18:44 UTC
Return-Path: <tobias.oberstein@tavendo.de>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6792221F8F11 for <hybi@ietfa.amsl.com>; Thu, 30 May 2013 11:44:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eCg79U-XAXkv for <hybi@ietfa.amsl.com>; Thu, 30 May 2013 11:44:00 -0700 (PDT)
Received: from EXHUB020-4.exch020.serverdata.net (exhub020-4.exch020.serverdata.net [206.225.164.31]) by ietfa.amsl.com (Postfix) with ESMTP id 791CA21F8F9E for <hybi@ietf.org>; Thu, 30 May 2013 11:44:00 -0700 (PDT)
Received: from [78.42.145.191] (78.42.145.191) by smtpx20.serverdata.net (206.225.164.36) with Microsoft SMTP Server (TLS) id 8.3.264.0; Thu, 30 May 2013 11:43:58 -0700
Message-ID: <51A79DF0.5060901@tavendo.de>
Date: Thu, 30 May 2013 20:44:00 +0200
From: Tobias Oberstein <tobias.oberstein@tavendo.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Roberto Peon <fenix@google.com>
References: <CAH9hSJZxr+aG7GZa4f-dUOTGj4bnJ+3XxivUX4jei5CMyqN4LQ@mail.gmail.com> <634914A010D0B943A035D226786325D4422C319646@EXVMBX020-12.exch020.serverdata.net> <CAH9hSJYrrbSM3TTSKCQ=AMcwCfE4zqNAa1kuAvecrXZTLqy2gQ@mail.gmail.com> <634914A010D0B943A035D226786325D4422C3DA774@EXVMBX020-12.exch020.serverdata.net> <CAHixhFrTk79A07BjQCgvep_+bmA4rGG1ZvqmoS6gsQYNPyPoZA@mail.gmail.com> <CAH9hSJYFa+bqN=e7x87W+Xvq-st70nbzUXniQaPme2fzspCjWA@mail.gmail.com> <51A70DF9.5010601@tavendo.de> <CAGzyod6daSOvAVHU6B=Qr0xDqNca_8iXrFYr0gTGdqZPryFFpA@mail.gmail.com>
In-Reply-To: <CAGzyod6daSOvAVHU6B=Qr0xDqNca_8iXrFYr0gTGdqZPryFFpA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Call for interest: multiplexing dedicated for WebSocket
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 18:44:05 -0000
Am 30.05.2013 20:28, schrieb Roberto Peon: > Different schemas have nothing to do with the CRIME attack. > A pure HTTPS or WSS scheme could still be attacked with CRIME, with its > success depending on the way the compression mechanism works. > With the current HTTP/2 proposals it would be pretty difficult to attack > using the techniques in the CRIME attack. > > The way CRIME works is to have a 3rd party include links to the > site-to-attack. Thus it doesn't matter if the schemes are http, https, > ws, wss, whatever. > So, a restriction against muxing ws and wss together makes no sense as > it provides no security benefit for CRIME. What about the other issues listed? Example: An app first connect to a ws: address. Then the app opens a 2nd connection over wss: to the same target (IP:port) sending some sensitive information (either in cookies or in payload) relying on the presumed privacy/encryption provided by wss:. An implementation of MUX might run the 2nd wss: connection as a logical WS connection over an _unencrypted_ physical ws: that was established in the first place upon the app opening the 1st ws: connection. So at least the implementation must not mux logical wss: over physical ws:. Transporting logical ws: over physical wss: seems less problematic. > -=R > > > On Thu, May 30, 2013 at 1:29 AM, Tobias Oberstein > <tobias.oberstein@tavendo.de <mailto:tobias.oberstein@tavendo.de>> wrote: > > Am 30.05.2013 09:28, schrieb Takeshi Yoshino: >> On Thu, May 30, 2013 at 1:12 PM, Adam Rice <ricea@google.com >> <mailto:ricea@google.com>> wrote: >> >> So d) - f) cannot be multiplexed over the same physical WS >> as a) - c)? >> >> Or can an implementation just "silently" transport a)-c) >> also over wss, and hence multiplex all of a) - f) over 1 >> physical WS? >> >> >> The handshake does not currently include the schema, so there >> would be no way to communicate to the server that a)-c) were >> supposed to be ws:, not wss:. >> >> >> Right. I missed that point. >> >> Even if this was amended, both client and server would have to >> be careful that no ambient authority leaked from the wss: >> channels to the ws: channels. For example: the client would >> have to be careful not to send "secure" cookies with the ws: >> handshakes, and the server would have to be careful not to >> apply any authority contained in a client TLS certificate to >> the ws: logical channels. >> >> For this reason, I think it would be easiest not to attempt to >> multiplex ws: and wss: onto a single TCP/IP connection. >> >> >> Compression contexts, etc. also need to be isolated carefully to >> protect it from attack like CRIME. > > I also agree with Adam. To summarize, given the possible "issues" of > > - client cert based auth > - "secure" cookies / ambient authority > - compression contexts / CRIME > > (plus complexities like: what if an app opens ws://domain.com, and > then _later_ opens wss://domain.com? Upgrade to TLS not possible > anymore .. cannot TLS handshake in the middle of an already > established non-TLS TCP where some traffic already traveled .. the > WS handshake at least.) > > I think it would be good to include explicit text into the MUX > draft, e.g. > > """ > An implementation MUST NOT multiplex multiple logical channels to > WebSocket addresses with different schemes (ws: versus wss:) on a > single physical WebSocket connection. > > For example, two WebSocket connections to ws://domain.com and > wss://domain.com must not be shared on a single physical WebSocket > connection to domain.com <http://domain.com>. > """ > > I also think it would be helpful to include explicit text describing > what WebSocket addresses are eligible for sharing, e.g. > > """ > An implementation MAY multiplex multiple logical channels to > different WebSocket addresses if and only if the WebSocket addresses > share the same WebSocket scheme, the hostname resolves to the same > IP address and the same port. > > For example, connections to all of the following WebSocket addresses > may be multiplexed over a single physical WebSocket connection > (assum domain.com <http://domain.com>, domain2.com > <http://domain2.com> and sub1.domain.com <http://sub1.domain.com> > all resolve to the same IP address): > > ws://domain.com > ws://domain.com:80 > ws://domain.com/foo > ws://domain.com:80/foo > ws://domain.com/bar > ws://domain2.com > ws://sub1.domain.com > ws://sub1.domain.com:80 > ws://sub1.domain.com:80/bar > > Note: When a WS address does not specify an explicit port, the port > is the default port for the given WS scheme (ws: = 80 and wss: = 443). > """ > > > > > /Tobias > > > _______________________________________________ > hybi mailing list > hybi@ietf.org <mailto:hybi@ietf.org> > https://www.ietf.org/mailman/listinfo/hybi > >
- [hybi] Call for interest: multiplexing dedicated … Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Bruce Atherton
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Arman Djusupov
- Re: [hybi] Call for interest: multiplexing dedica… Salvatore Loreto
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Salvatore Loreto
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Joakim Erdfelt
- Re: [hybi] Call for interest: multiplexing dedica… John A. Tamplin
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Zhong Yu
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… John A. Tamplin
- Re: [hybi] Call for interest: multiplexing dedica… Zhong Yu
- Re: [hybi] Call for interest: multiplexing dedica… Bruce Atherton
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Zhong Yu
- Re: [hybi] Call for interest: multiplexing dedica… Arman Djusupov
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Adam Rice
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Roberto Peon
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Simone Bordet
- Re: [hybi] Call for interest: multiplexing dedica… Takeshi Yoshino
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… Adam Rice
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein
- Re: [hybi] Call for interest: multiplexing dedica… John A. Tamplin
- Re: [hybi] Call for interest: multiplexing dedica… Tobias Oberstein