IETF Logo Mail Archive

Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

Zhong Yu <zhong.j.yu@gmail.com> Wed, 01 December 2010 03:32 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 575933A6CCE for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 19:32:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.949
X-Spam-Level:
X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pippcD60IKN6 for <hybi@core3.amsl.com>; Tue, 30 Nov 2010 19:32:38 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id 0B8873A6C59 for <hybi@ietf.org>; Tue, 30 Nov 2010 19:32:37 -0800 (PST)
Received: by qwg5 with SMTP id 5so5456547qwg.31 for <hybi@ietf.org>; Tue, 30 Nov 2010 19:33:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=nrr0WF28sLm3TEkCVZZ1INazEeYyWf4NLZimtI05jXA=; b=bxu7ldJvfnm/BEOroqiBHy4zo8uMoAhyafpu6LV2JFwsEIuiNPLLZnfNgmxnvf2OGd b2a9msiDEJvSY8aqlQeAyWwtXK+FnrOnqBTtsebXOjL/gpcZLLg84CjPJQ2eX7RTxegH dt+6MuIDDfKs8Ai4HlFge0yV1doFEQLHJDbng=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=XkJYQXuJkh4USFqz7ORAywQ1kkmEkb/KayoMzhU7cpxPQ022H3tt/wnISXOCH4S9kP NGSwg9qWHiPtRc8SV032PLn5q628Ch8uvL5sPX4oaZKNFCHEEbpPX1XG4r153RescKYs 1RxeHGICn+/L8NPo+VWU1SkVWLa+NtRj8n6mI=
MIME-Version: 1.0
Received: by 10.224.10.196 with SMTP id q4mr1002683qaq.87.1291174430216; Tue, 30 Nov 2010 19:33:50 -0800 (PST)
Received: by 10.220.189.136 with HTTP; Tue, 30 Nov 2010 19:33:50 -0800 (PST)
Date: Tue, 30 Nov 2010 21:33:50 -0600
Message-ID: <AANLkTik0wR-Oag5YJJDmdiSy67WW6TMaHmqWEo4o5kGW@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Hybi <hybi@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Wed, 01 Dec 2010 03:17:23 -0800
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 03:32:39 -0000

With Upgrade handshake, only 1 (out of 50K) firewall circumvention
attack was successful. While with POST/Java/Flash, the number is
around 1000. The Upgrade handshake is a huge improvement! But why? I
assume that the random bytes and framing bytes in the -76 handshake
corrupted HTTP streams and busted 99.9% of HTTP parsers.

In the singular successful case, the transparent proxy ignored these
non-http bytes and constructed a http request anyway, at least, it
extracted the "Host" header. For this attack to be really useful, it's
not enough that the bytes are tunneled to target.com. The proxy must
strip non-http bytes and send a compliant http request to target.com.
Or, the proxy forwards all bytes to target.com, and target server
strips non-http bytes and reconstructs the intended http request. Did
one of these two things actually happened in the experiment?

Even worse for the attacker, it's highly unlikely that the http
response sent back by target.com will be accepted by the WebSocket
client as valid WebSocket stream. If the attacker cannot read the
response from target.com, this attack is less useful than sending a
simple HTTP request.

The combined odds that this attack works over Upgrade handshake is
extremely small.

With CONNECT handshake the same transparent proxy did not pass through
the firewall circumvention attack. It is very likely that the proxy
routes by Host for each request. The handshake contains an invalid
Host, the routing failed, the connection was aborted, and the attack
couldn't be carried out. Most likely CONNECT wins over Upgrade on this
single case because of the bogus Host header, not because the proxy
understands CONNECT and gives up parsing the rest of stream.

Altering the semantics of Host is a big deal. Even though it turns out
to be "helpful" in this singular case of the experiment, the price far
more exceeds the benefit.

It should be stressed that the paper contains no empirical evidence
that the bogus Host would be helpful in other threat models.

If Host really is a problem, we should simply remove it from
handshake. Having no Host header is not worse than having a bogus Host
header. The Host header was a hack anyway because the request URI
wasn't absolute. We don't have to keep that hack for WebSocket.

I'm voting for CONNECT method with real Host header.

= Inconsistent data regarding cache poisoning attack =

Although the Upgrade handshake reduced firewall circumvention attack
to 1/1000, it does not have the same luck with cache poisoning attack,
according to the paper. 50% attacks still got though. That is *very*
surprising. Caching proxies must demarcate requests precisely, how do
they have such a higher tolerance of corrupt stream? How come 99.9%
host-based-routing proxies are busted by the stream, yet 50% of
ip-based caching proxies are not busted? I must respectfully
disbelieve the result for now.

- Zhong Yu

v2.23.0 | Report a Bug | By Email