Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
Zhong Yu <zhong.j.yu@gmail.com> Wed, 01 December 2010 03:32 UTC
Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 575933A6CCE for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 19:32:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.949
X-Spam-Level:
X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pippcD60IKN6 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 19:32:38 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 0B8873A6C59 for <hybi@ietf.org>; Tue, 30 Nov 2010 19:32:37 -0800 (PST)
Received: by qwg5 with SMTP id 5so5456547qwg.31 for <hybi@ietf.org>; Tue, 30 Nov 2010 19:33:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=nrr0WF28sLm3TEkCVZZ1INazEeYyWf4NLZimtI05jXA=; b=bxu7ldJvfnm/BEOroqiBHy4zo8uMoAhyafpu6LV2JFwsEIuiNPLLZnfNgmxnvf2OGd b2a9msiDEJvSY8aqlQeAyWwtXK+FnrOnqBTtsebXOjL/gpcZLLg84CjPJQ2eX7RTxegH dt+6MuIDDfKs8Ai4HlFge0yV1doFEQLHJDbng=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=XkJYQXuJkh4USFqz7ORAywQ1kkmEkb/KayoMzhU7cpxPQ022H3tt/wnISXOCH4S9kP NGSwg9qWHiPtRc8SV032PLn5q628Ch8uvL5sPX4oaZKNFCHEEbpPX1XG4r153RescKYs 1RxeHGICn+/L8NPo+VWU1SkVWLa+NtRj8n6mI=
MIME-Version: 1.0
Received: by 10.224.10.196 with SMTP id q4mr1002683qaq.87.1291174430216; Tue, 30 Nov 2010 19:33:50 -0800 (PST)
Received: by 10.220.189.136 with HTTP; Tue, 30 Nov 2010 19:33:50 -0800 (PST)
Date: Tue, 30 Nov 2010 21:33:50 -0600
Message-ID: <AANLkTik0wR-Oag5YJJDmdiSy67WW6TMaHmqWEo4o5kGW@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Hybi <hybi@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Wed, 01 Dec 2010 03:17:23 -0800
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 03:32:39 -0000
With Upgrade handshake, only 1 (out of 50K) firewall circumvention attack was successful. While with POST/Java/Flash, the number is around 1000. The Upgrade handshake is a huge improvement! But why? I assume that the random bytes and framing bytes in the -76 handshake corrupted HTTP streams and busted 99.9% of HTTP parsers. In the singular successful case, the transparent proxy ignored these non-http bytes and constructed a http request anyway, at least, it extracted the "Host" header. For this attack to be really useful, it's not enough that the bytes are tunneled to target.com. The proxy must strip non-http bytes and send a compliant http request to target.com. Or, the proxy forwards all bytes to target.com, and target server strips non-http bytes and reconstructs the intended http request. Did one of these two things actually happened in the experiment? Even worse for the attacker, it's highly unlikely that the http response sent back by target.com will be accepted by the WebSocket client as valid WebSocket stream. If the attacker cannot read the response from target.com, this attack is less useful than sending a simple HTTP request. The combined odds that this attack works over Upgrade handshake is extremely small. With CONNECT handshake the same transparent proxy did not pass through the firewall circumvention attack. It is very likely that the proxy routes by Host for each request. The handshake contains an invalid Host, the routing failed, the connection was aborted, and the attack couldn't be carried out. Most likely CONNECT wins over Upgrade on this single case because of the bogus Host header, not because the proxy understands CONNECT and gives up parsing the rest of stream. Altering the semantics of Host is a big deal. Even though it turns out to be "helpful" in this singular case of the experiment, the price far more exceeds the benefit. It should be stressed that the paper contains no empirical evidence that the bogus Host would be helpful in other threat models. If Host really is a problem, we should simply remove it from handshake. Having no Host header is not worse than having a bogus Host header. The Host header was a hack anyway because the request URI wasn't absolute. We don't have to keep that hack for WebSocket. I'm voting for CONNECT method with real Host header. = Inconsistent data regarding cache poisoning attack = Although the Upgrade handshake reduced firewall circumvention attack to 1/1000, it does not have the same luck with cache poisoning attack, according to the paper. 50% attacks still got though. That is *very* surprising. Caching proxies must demarcate requests precisely, how do they have such a higher tolerance of corrupt stream? How come 99.9% host-based-routing proxies are busted by the stream, yet 50% of ip-based caching proxies are not busted? I must respectfully disbelieve the result for now. - Zhong Yu
- [hybi] Experiment comparing Upgrade and CONNECT h… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Ian Fette (イアンフェッティ)
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… Julian Reschke
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… Brian
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Joe Mason
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Ian Fette (イアンフェッティ)
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Bjoern Hoehrmann
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth