IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Sat, 02 October 2010 01:07 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E4C7F3A6E46 for <hybi@core3.amsl.com>; Fri, 1 Oct 2010 18:07:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.709
X-Spam-Level:
X-Spam-Status: No, score=-1.709 tagged_above=-999 required=5 tests=[AWL=-0.332, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_14=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CrVF98lyZU4P for <hybi@core3.amsl.com>; Fri, 1 Oct 2010 18:07:56 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id E7C123A6E2A for <hybi@ietf.org>; Fri, 1 Oct 2010 18:07:53 -0700 (PDT)
Received: by qyk7 with SMTP id 7so11890qyk.10 for <hybi@ietf.org>; Fri, 01 Oct 2010 18:08:43 -0700 (PDT)
Received: by 10.229.10.223 with SMTP id q31mr4320078qcq.280.1285981720377; Fri, 01 Oct 2010 18:08:40 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id x34sm1974814qci.30.2010.10.01.18.08.38 (version=SSLv3 cipher=RC4-MD5); Fri, 01 Oct 2010 18:08:39 -0700 (PDT)
Received: by iwn3 with SMTP id 3so5366877iwn.31 for <hybi@ietf.org>; Fri, 01 Oct 2010 18:08:38 -0700 (PDT)
Received: by 10.231.60.4 with SMTP id n4mr6582057ibh.18.1285981717960; Fri, 01 Oct 2010 18:08:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Fri, 1 Oct 2010 18:08:07 -0700 (PDT)
In-Reply-To: <4CA68098.8010404@caucho.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <5CBF797D-A58E-4129-96B3-164F6E7409B9@apple.com> <4CA0D0D2.4040006@caucho.com> <AANLkTinACqm-GxUPhvFMf6_sGfeJofwy1r=28o=vgM43@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 01 Oct 2010 18:08:07 -0700
Message-ID: <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Oct 2010 01:07:57 -0000

Please read my later message.  That should give you a more concrete
understanding of the issue.

(minor points inline)

On Fri, Oct 1, 2010 at 5:45 PM, Scott Ferguson <ferg@caucho.com> wrote:
> Adam Barth wrote:
>>
>> On Thu, Sep 30, 2010 at 6:50 PM, Scott Ferguson <ferg@caucho.com> wrote:
>>
>>>
>>> To repeat the key pieces:
>>>  a) c-nonce must not be available to or predictable by the hijacker
>>>  b) "WebSocket" is not possessed by a non-websocket server
>>>
>>
>> You're making a bunch of assumptions about how non-websocket servers
>> behave.  In particular, consider a protocol like DNS.  It's entirely
>> possible that a DNS-like protocol could relay the c-nonce to the
>> attacker and give the attacker an opportunity to response with the
>> appropriate hash, which the server would then relay to the client.
>> Attacks of this general class (even against DNS) are known for HTTP.
>>
>
> No, Adam, you can't just handwave that scenario. Let's take your attack in
> detail.
>
>  1) Hijacker has taken control of a browser and initiates a websocket
> connection.
>  2) That websocket connection is to a DNS server.
>  3) The DNS server relays the c-nonce to the hijacked browser (???)
>
>      browser -> DNS -> browser
>
>  4) The hijacked browser can now compute H(c-nonce, "WebSocket")
>  5) The browser somehow sends the H(c-nonce, "WebSocket") to the DNS proxy
> which now that it has the hash redirects to the actual target, which echos
> the hash through the theoretical proxy chain. Or it acts as a web-socket
> relay itself
>
>      browser -> DNS -> browser -> target
>
> None of which makes any sense.
>
> I am making some assumptions:
>
>  1) there are no websocket open relays. If there are, the issue isn't a
> cross-protocol attack, but an open relay attack. Your description proposes
> the browser itself as a websocket open relay ("could relay the c-nonce to
> the attacker").
>
>  2) there are no open relays that compute H(xxxx, "WebSocket") or open
> relays that calculate arbitrary hashes H(xxxx).  Your proposed DNS attack
> does neither, nor does it propose a relay that does calculate either.
> Instead, you handwave to the hijacked browser itself as an open websocket
> relay.
>
>> The security of this protocol relies on more assumptions than you've
>> listed in your message.  Reasoning about security here is very subtle,
>> especially when reasoning about the behavior of non-WebSocket servers.
>>  We need to be prepared for them to do a wide variety of things.
>>
>
> This statement is not particularly useful.
>
> If you assume the existence of open relays which implement arbitrary
> protocols and compute arbitrary functions, that's equivalent to assuming the
> relay is a valid websocket proxy, which is no longer a cross-protocol
> attack.
>
> Does your "wide variety of things" include calculation of arbitrary hashes?
>
>> As a side note, using an exotic HTTP method is not a good idea.  The
>> first few bytes of the clients initial message are absolutely
>> critical.  Picking an exotic HTTP method is just rolling the dice
>> w.r.t. what protocols an attacker can exploit.  For example, some
>> attacks from HTTP to DNS rely critically on the fact that the first
>> byte of an HTTP POST message is an uppercase P.  The kinds of things
>> you can do with an uppercase W as the first byte are largely
>> unstudied.
>>
>
> You misunderstand entirely.
>
> It's not an exotic HTTP method; it's identifying the protocol by the initial
> sequence of bytes.

Exotic => can't be sent by web sites to arbitrary hosts today in browsers.

> If every client for every protocol sent a non-hijackable unique protocol
> identifier as its initial sequence, and every server for every protocol
> verified the protocol identifier before accepting any further bytes, then
> cross protocol attacks would be impossible.

Sure, but there are plenty of protocols that don't do that.

> We can't fix the older protocols that don't identify themselves immediately
> and don't validate, but we can ensure that new protocols do.

Unfortunately, we don't have the luxury of ignoring attacks against
these "older" protocols.

Adam

v2.23.0 | Report a Bug | By Email