Re: [hybi] Moving to a CONNECT-based handshake
Adam Barth <ietf@adambarth.com> Wed, 01 December 2010 22:27 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA0CF3A67F7 for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 14:27:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=-1.222, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UeuMBHBzEd1R for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 14:27:36 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id 6AE083A67D1 for <hybi@ietf.org>; Wed, 1 Dec 2010 14:27:36 -0800 (PST)
Received: by vws7 with SMTP id 7so2956283vws.31 for <hybi@ietf.org>; Wed, 01 Dec 2010 14:28:50 -0800 (PST)
Received: by 10.220.168.196 with SMTP id v4mr2325410vcy.255.1291242530025; Wed, 01 Dec 2010 14:28:50 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id p28sm137809vcr.22.2010.12.01.14.28.48 (version=SSLv3 cipher=RC4-MD5); Wed, 01 Dec 2010 14:28:49 -0800 (PST)
Received: by iwn40 with SMTP id 40so9358342iwn.31 for <hybi@ietf.org>; Wed, 01 Dec 2010 14:28:48 -0800 (PST)
Received: by 10.231.39.129 with SMTP id g1mr9549653ibe.178.1291242527897; Wed, 01 Dec 2010 14:28:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.12.77 with HTTP; Wed, 1 Dec 2010 14:28:17 -0800 (PST)
In-Reply-To: <94AF27DF-229F-4F06-AB68-89592BF980A7@gbiv.com>
References: <op.vmzqkhszidj3kv@simon-pieterss-macbook.local> <4CF52558.9010100@gmx.de> <4CF529FF.9080708@opera.com> <BB31C4AB95A70042A256109D4619912605790150@XCH117CNC.rim.net> <AANLkTimzTvtho0m9HZSe6exgSwZxbCnxtmeJd2-G0aSK@mail.gmail.com> <BB31C4AB95A70042A256109D4619912605790178@XCH117CNC.rim.net> <BB31C4AB95A70042A256109D4619912605790190@XCH117CNC.rim.net> <AANLkTimQJz22RtoVnB16C8Mi4C8=QKB946wSR9BRsP85@mail.gmail.com> <AANLkTi=BPFKVfj1CQQ4pk9-M_-9=ftQQPerfAFZtV8K7@mail.gmail.com> <AANLkTimPj6Xpqfm2k_VLeF=7M7s57yhsq67o4frKrK7L@mail.gmail.com> <780F99F1-00F7-4E4A-A29F-9C94F66ADD13@gbiv.com> <AANLkTin+HYi+p-53y7bB-qvSMzN9oRQdTcQEusyxdRX_@mail.gmail.com> <94AF27DF-229F-4F06-AB68-89592BF980A7@gbiv.com>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 01 Dec 2010 14:28:17 -0800
Message-ID: <AANLkTi=sm15-2nbmScfptPneAZK3b4u-4jRE=8eCwg81@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Moving to a CONNECT-based handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 22:27:38 -0000
2010/12/1 Roy T. Fielding <fielding@gbiv.com>: > On Dec 1, 2010, at 12:41 PM, Adam Barth wrote: >> On Wed, Dec 1, 2010 at 12:21 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >>> On Dec 1, 2010, at 8:45 AM, Ian Fette (イアンフェッティ) wrote: >>>> We all know that WS over port 80 faces obstacles. That's been known for a long time, nothing has changed, and yet there remains a group that wishes to try to use it. As long as the problems are known, I see no reason to try to forbid it. >>>> >>>> As for strong objectors, it seems like many people who are implementing have voiced strong support for adams proposal, modulo some tweaks here and there. I would like to see how far we can get. >>> >>> We will get nowhere. Adam's proposal is to use CONNECT, a method specifically >>> designed for telling a normal (non-intercept, non-reverse) proxy to create a >>> TCP tunnel to some other host:port, and he suggest using it to do something >>> contrary to its method definition and the HTTP architecture in general. >>> That would violate both CONNECT semantics and the HTTP syntax for non-proxy >>> requests (not to mention our hybi charter). Please understand that such an >>> abomination will not be allowed in an Internet proposed standard even if the >>> browsers deployed it, and thus should be rejected out of hand. >> >> You're assuming that the server in a WebSocket connection is an HTTP >> server. It seems entirely reasonable to regard it as a proxy instead. >> In that case, the semantics work out fine. > > No. It could very well be a proxy, expecting to receive both valid > proxy requests (hopefully with some form of authentication) and valid > non-proxy requests. The CONNECT semantics are clear enough to show > that your request does not follow them, and therefore will be treated > as an error. That error will result in error logs, occasional pages > to overworked sysadmins, and in rare cases an automatic IPfw block > and a call to the FBI. This is because CONNECT has been used in the > past by rootkit zombies to attack HTTP servers looking for open > relay proxies. Hopefully the FBI will learn to ignore these calls and focus on more important issues. >>> Listen to the input you have received already. The vulnerability described >>> in Adam's paper has nothing to do with the Upgrade handshake -- they >>> specifically did not test the actual handshake. What they did is test the >>> post-handshake non-encrypted connection for intercept proxies that might >>> (in 8 out of 47,338 cases) mistakenly interpret the unencrypted channel >>> after the handshake is completed (or ignored). Thus, it represents >>> an attack on any non-opaqued channel that is being scanned by caching >>> intercept proxies (an architecture that is not condoned by HTTP but does >>> occur in some limited practice by idiots) when a browser is allowed to >>> send arbitrary bytes over that channel. >> >> Correct. >> >>> One question, therefore, is whether it is important to protect the 0.0169% >>> of users behind networks that are deliberately using an insecure and invalid >>> form of HTTP proxy from yet another attack based on that invalid usage. >>> YMMV. >> >> For better or worse, browser vendors feel responsible to protect >> "idiots" (as you call them) from themselves. You might or might not >> agree with that decision, but that's unlikely to change. > > You aren't protecting them -- they are already vulnerable to those > attacks via POST and anything else that can send data on port 80. > At best we just avoid piling on. > > It is a basic vulnerability of the browser same-origin protocol > to assume that same-IP will result in same-origin. The browser's same-origin policy does not make that assumption. Java's does, however, and it is indeed a security problem for Java. > Combine that > with not retaining control over the Host header field (the actual > same-origin) or the application framing that determines where a > request starts, and then we have a security hole. Are you referring to WebSockets or some other browser feature? One of the security invariants browsers enforce is the integrity of the Host header. > That hole can > be avoided for websockets by controlling the post-handshake output, > so browser vendors can happily continue to be responsible for > protecting those admin idiots who feel compelled to install > caching intercepts that don't respect HTTP/1.1 framing, even > if we don't use the proposed CONNECT handshake. That's true. Alternatively, we can use CONNECT to achieve the same goal. >>> A more sensible test would have been to use a new method, like WEBSOCKET, >>> since then at least the initial handshake could remain HTTP-compliant. >> >> Unfortunately, using a new method doesn't solve any of the problems >> we're currently worried about. CONNECT, specially, is useful because >> many intermediaries already have the behavior we desire when >> processing CONNECT messages. > > What makes you say that? The empirical evidence we collected as part of the experiment we conduced. > CONNECT sent to a proxy doesn't have the > behavior we want unless the host:port is true, and even then the > result is a pure tunnel which will need to start its own handshake. Indeed. If you read the handshake proposal, that's exactly what we suggest. > Most proxies already limit use of CONNECT to specific ports, for > security reasons, so that it doesn't actually get around the firewall > limitations. CONNECT sent to an origin server doesn't work any > better than a new method. It seems like you're talking about improving how often the handshake succeeds in non-attack scenarios. That's a separate issue. The empirical evidence that we've collected suggests that the CONNECT-based handshake completes roughly as often as the Upgrade-based handshake. Of course, both completion rates are relatively low. For high completion rates, folks will want to use TLS. > Changing the method to WEBSOCKET doesn't change the security > characteristics of encrypting the subsequent content, since we > can do that more easily with a new method. We can encrypt subsequent content with the same degree of ease with either method. >>> BTW2, "transparent proxy" != "intercept proxy". A proxy is called transparent >>> when it doesn't transform the messages exchanged, unlike intercepts (which >>> aren't even true proxies since they are unknown to the client). Please use >>> the correct terminology. >> >> For what its worth, we researched this issue when writing the paper. >> These terms appear to be used interchangeably by most folks, including >> Wikipedia. > > Most folks don't write Internet standards based on protocols that > already contain a different definition for "transparent proxy" (one which > we plan on replacing with "non-transforming proxy" just because of > that confusion). We use the term intercept because it has no other > confusing-yet-standard definition. Fortunately our paper is not an Internet standard. :) Adam
- [hybi] Moving to a CONNECT-based handshake Simon Pieters
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake James Graham
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Anne van Kesteren
- Re: [hybi] Moving to a CONNECT-based handshake Anne van Kesteren
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake Joe Mason
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Scott Ferguson
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Joe Hildebrand
- Re: [hybi] Moving to a CONNECT-based handshake John Tamplin
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Pat McManus @Mozilla
- Re: [hybi] Moving to a CONNECT-based handshake Greg Wilkins
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Jamie Lokier
- Re: [hybi] Moving to a CONNECT-based handshake Greg Wilkins
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Maciej Stachowiak
- Re: [hybi] Moving to a CONNECT-based handshake Julian Reschke
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Ian Fette (イアンフェッティ)
- Re: [hybi] Moving to a CONNECT-based handshake Roy T. Fielding
- Re: [hybi] Moving to a CONNECT-based handshake Adam Barth
- Re: [hybi] Moving to a CONNECT-based handshake Willy Tarreau
- Re: [hybi] Moving to a CONNECT-based handshake Roy T. Fielding
- Re: [hybi] Moving to a CONNECT-based handshake Adam Barth
- Re: [hybi] Moving to a CONNECT-based handshake Bjoern Hoehrmann