IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Bjoern Hoehrmann <derhoermi@gmx.net> Sat, 02 October 2010 12:35 UTC

Return-Path: <derhoermi@gmx.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2C8353A6C2A for <hybi@core3.amsl.com>; Sat, 2 Oct 2010 05:35:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.641
X-Spam-Level:
X-Spam-Status: No, score=-2.641 tagged_above=-999 required=5 tests=[AWL=-0.042, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H31fO1O8Vs1o for <hybi@core3.amsl.com>; Sat, 2 Oct 2010 05:35:56 -0700 (PDT)
Received: from mail.gmx.net (mailout-de.gmx.net [213.165.64.23]) by core3.amsl.com (Postfix) with SMTP id C4C6B3A6C91 for <hybi@ietf.org>; Sat, 2 Oct 2010 05:35:55 -0700 (PDT)
Received: (qmail invoked by alias); 02 Oct 2010 12:36:44 -0000
Received: from dslb-094-222-150-219.pools.arcor-ip.net (EHLO hive) [94.222.150.219] by mail.gmx.net (mp009) with SMTP; 02 Oct 2010 14:36:44 +0200
X-Authenticated: #723575
X-Provags-ID: V01U2FsdGVkX18GQhll64sG0u/elH2KMDLwEVRnJVTnDQFQasqhGE KCxRgTHPviEYmL
From: Bjoern Hoehrmann <derhoermi@gmx.net>
To: Greg Wilkins <gregw@webtide.com>
Date: Sat, 02 Oct 2010 14:36:44 +0200
Message-ID: <1h9ea61ep75seushbsi9uhdvqv66i7gmsd@hive.bjoern.hoehrmann.de>
References: <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com>
In-Reply-To: <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com>
X-Mailer: Forte Agent 3.3/32.846
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Y-GMX-Trusted: 0
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Oct 2010 12:35:58 -0000

* Greg Wilkins wrote:
>On 2 October 2010 11:08, Adam Barth <ietf@adambarth.com> wrote:
>> Unfortunately, we don't have the luxury of ignoring attacks against
>> these "older" protocols.
>
>Nobody is ignoring the attacks on "older" protocols.
>
>Your efforts have show that with the capabilities of XHR you could
>almost but not quiet make a cross protocol to DNS.
>So we know that DNS is not vulnerable to the wide range of HTTP
>requests that XHR can send  (eg with lots of application provided
>data).

(Adam's example depends on the server emitting a string under the
attackers control and uses a form post so that script is executed
in an unexpected context. You can't make an attack "like that"
using XMLHttpRequest.)
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/

v2.23.0 | Report a Bug | By Email