IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Greg Wilkins <gregw@webtide.com> Mon, 27 September 2010 06:16 UTC

Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA8903A6C68 for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 23:16:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.551
X-Spam-Level:
X-Spam-Status: No, score=-0.551 tagged_above=-999 required=5 tests=[AWL=-0.988, BAYES_40=-0.185, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3kZcfve3evC for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 23:16:13 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 847E53A6851 for <hybi@ietf.org>; Sun, 26 Sep 2010 23:16:13 -0700 (PDT)
Received: by iwn3 with SMTP id 3so5242326iwn.31 for <hybi@ietf.org>; Sun, 26 Sep 2010 23:16:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.16.75 with SMTP id n11mr7071650iba.49.1285568211254; Sun, 26 Sep 2010 23:16:51 -0700 (PDT)
Received: by 10.231.178.88 with HTTP; Sun, 26 Sep 2010 23:16:51 -0700 (PDT)
In-Reply-To: <AANLkTikfYOCOm_+g3=QCTFOCo=rYsj8WpX8AS65qgkPm@mail.gmail.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com> <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com> <AANLkTikRYB_suPmSdH3uzGmdynozECRszDx+BpUvtZ4h@mail.gmail.com> <AANLkTikfYOCOm_+g3=QCTFOCo=rYsj8WpX8AS65qgkPm@mail.gmail.com>
Date: Mon, 27 Sep 2010 16:16:51 +1000
Message-ID: <AANLkTim0R-cHCKiMw-zA7r+NrQbbiyM2xPLVm8G-shCx@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 06:16:14 -0000

On 27 September 2010 11:35, Adam Barth <ietf@adambarth.com> wrote:
> Browser also protect intranet servers which use connectivity as their
> sole means of authentication/authorization.

True.

So does the presence of WS capability in the browser and/or server
provide any additional capability to exploit such servers?

If so, do the measures in the current and proposed handshakes help in
any significant way?

If not, is there something that we need to do to explicitly protect
port ranges etc in the same way that browsers currently do for XHR?


> The existing HTTP mechanisms exposed to untrusted content in browser
> already respects these security invariants.  In adding new network
> APIs, browser wish to continue to maintain these invariants.

Excellent and both the requirements document and all recent versions
of the specification have included text to the effect that the
existing browser security model will be used.

Maybe that text needs clarification, but nobody has suggested watering
it down in any way.



>> I think that any server that "performs any side effects in response to
>> messages from the client" will have a security vulnerability if they
>> do not correctly check the authentication and authorization of the
>> client.
>
> This is not an accurate understanding of the security invariants
> browsers seek to maintain.

I was not attempting to describe the security invariants that a
browser seeks to maintain.

I was making the observation that a server that performs side effects
on the basis of unauthenticated requests will by definition have a
security issue.   The ability to trigger that issue from a cross
protocol attack is essentially irrelevant if we are proposing the wide
spread deployment of a same protocol mechanism that can trigger the
same side effects.


>> Eventually most browsers will have WS available to the
>> javascript, so a server that is so vulnerable will be able to be
>> exploited just with WS instead of trying to trick HTTP.
>
> Browser seek to protect servers that have never heard of WebSockets
> and have no interest in these newer technologies.  From that
> perspective, it's important to compare the security invariants of the
> browser before and after introducing WebSockets.  We need to study any
> change in these invariants to make sure they don't introduce security
> vulnerabilities in existing servers.  This is a prerequisite for
> exposing the WebSocket API to untrusted content in the browser.

Which is precisely why I have been advocating that we study the impact
of the current handshake and proposed changes.

We need to discuss what type of byte sequences can a compromised WS
capable browser generate that a HTTP capable browser cannot? Are any
of these types of sequences a threat to WS unaware servers?   Does the
space counting and unframed bytes help in any way?

I have suggested that the defence in depth of Sec-headers, nonce
generation, handshake sequence requirements and normal web
authentication/authorization should limit the byte sequence that can
be generated to nothing that is more harmful that what can already
been generated.

All I have asked is if you have done any study that indicates that
suggests that space counting and unframed data provide any additional
meaningful security?

regards

v2.23.0 | Report a Bug | By Email