IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Sat, 09 October 2010 17:11 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D59163A68FA for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 10:11:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level:
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QBGoICBysptk for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 10:11:26 -0700 (PDT)
Received: from smtp114.biz.mail.re2.yahoo.com (smtp114.biz.mail.re2.yahoo.com [66.196.116.99]) by core3.amsl.com (Postfix) with SMTP id 3EE5F3A686A for <hybi@ietf.org>; Sat, 9 Oct 2010 10:11:26 -0700 (PDT)
Received: (qmail 42783 invoked from network); 9 Oct 2010 17:12:31 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp114.biz.mail.re2.yahoo.com with SMTP; 09 Oct 2010 10:12:30 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: 7FF6u7UVM1lKopnUf7qTEyshK6A2HnN8WzQrzNJFxWZoR9K RMNnRG3wN5GqMyXPdjhPsTwQgXwpTB6Xoh3s15L0Uby4vw553SRdJzaMojGD YITE3z6RuWfWJL2yHBAwrmey3vV0wIff5eFTQsXEgysHPca3TKtLe432y_fn cX8yGAjAwjr.P3C5Mo3_knTpcAICLGEqfb__bih5riUjHwKYwTRltotbgr90 nIwroC97ucoj7RNHYyyvPqDERgT3J5OEBODH4_exNRnaQ6QFl_ZVEzylLsHP czSxXFbCNQDXWGmsJZes4_eZgR09_CQU5ESl_EqNwayhePzUsSpRFvoySC1C hsseaGbIzPh.o.RnGdqeQYrdUWXU1TB2cZYqF5cuY.MgquoY3WWb1_v9nCcd oBsu598gXCJ4UdYEUyw--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CB0A27D.9000307@caucho.com>
Date: Sat, 09 Oct 2010 10:12:29 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Bjoern Hoehrmann <derhoermi@gmx.net>
References: <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com> <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de>
In-Reply-To: <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 17:11:28 -0000

Bjoern Hoehrmann wrote:
> * Scott Ferguson wrote:
>   
>> Your attacker's PHP script is perfectly capable of launching a 
>> non-browser attack against the target server. It's not true at all that 
>> a HTTP request is one of the "things they currently cannot do". Can you 
>> explain why the attacker doesn't just launch a trivial non-browser 
>> attack from the PHP script?
>>     
>
> Because the target may refuse requests from the script but accept them
> if they come from a certain user's browser. The server-side script can-
> not, for instance, spoof the user's IP address, but the client-side one
> can.
>   

IP restrictions aren't practical because clients access sites from a 
variety of devices including mobile access points. A $2 a month server 
on a shared virtual host certainly isn't doing authentication using IP 
identification.

You're now claiming:

  1. DELETE public to the world
  2. No credential-based authentication
  3. Strong IP authentication which forbids the local host, but allows 
arbitrary browser IPs.

That's just plain nonsense. Reductio ad absurdum isn't supposed to be 
taken literally.

-- Scott

v2.23.0 | Report a Bug | By Email