IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Sat, 02 October 2010 17:57 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 010B63A6C4D for <hybi@core3.amsl.com>; Sat, 2 Oct 2010 10:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.198
X-Spam-Level:
X-Spam-Status: No, score=-2.198 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epIb+G4Axhfz for <hybi@core3.amsl.com>; Sat, 2 Oct 2010 10:57:05 -0700 (PDT)
Received: from smtp112.biz.mail.sp1.yahoo.com (smtp112.biz.mail.sp1.yahoo.com [69.147.92.225]) by core3.amsl.com (Postfix) with SMTP id 3F2D83A6BEB for <hybi@ietf.org>; Sat, 2 Oct 2010 10:57:05 -0700 (PDT)
Received: (qmail 69320 invoked from network); 2 Oct 2010 17:57:54 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp112.biz.mail.sp1.yahoo.com with SMTP; 02 Oct 2010 10:57:54 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: lFlD9dIVM1nmxzk5CSb0H1eQUBEPxqgNedH1ybqyVXHdR9P HsndjHqsied_JmOwVp3cHp2CjfGuzcCVmJO8_qh8CQ2AWG8s1HXW89v6h.z4 BbNOUN53wTkjEYLbNqvQOsTkxuIG2tVdBuXjAZuuz8Xo0deUqXADmytclyS5 Xhvo11xvRtPTTxy9PHf1DlDlOOB.6E0CAGCqXzDMP0J.a3DA7.J1ShFZMygg _GSlhc8AwtXxfondzj94YymGC5x5aeWcMjFv4jFx_3es6Vq2oxT_l9E1crFK hOwXL0YjFRkDY_bWQ63cA
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CA772A1.2090808@caucho.com>
Date: Sat, 02 Oct 2010 10:57:53 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <4CA12810.8020006@caucho.com> <AANLkTimrMfXrnVMjU3f57L_sO7usyYQ56rBM4aMb2Pfr@mail.gmail.com> <20100928052501.GD12373@1wt.eu> <CA8029B0-71A3-44ED-88C6-934FE833BBA2@apple.com> <AANLkTim+fXj-h6OS3OdcfVfh3Q1UwxD8NLVawb=AWHX+@mail.gmail.com> <4FAC5C93-9BDF-4752-AFBC-162D718397AB@apple.com> <AANLkTikcH1W3bQwumqHbe-Yqa3XdoJqCa2b-mZuvoQ7g@mail.gmail.com> <9746E847-DC8B-45A7-ADF3-2ADB9DA7F82E@apple.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com>
In-Reply-To: <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Oct 2010 17:57:06 -0000

Adam Barth wrote:
> I brought up the example of DNS to show how an attacker might be able
> to get a non-WebSocket server to rely the c-nonce to the attacker and
> let the attacker relay back with the HMAC of the c-nonce.  This
> example might not completely break the c-nonce handshake, but it's
> evidence that relying upon an HMAC alone is probably unwise.
>   

Let's focus on this point.

To successfully attack the nonce/hash, the hijacker must do all of the 
following:

  1) Find a server or proxy (or sequence of proxies) that calculates H(x,y)
  2) Extract c-nonce from the request bytes and inject it into x.
  3) Inject "WebSocket" into the request and inject into y.
  4) Induce the server/proxy to return/forward the calculated hash in 
the proper format.

To keep the discussion focused on #1, lets give the hijacker 2-4.

There are two restrictions however:

  a) The hijacker can't use a websocket proxy.
  b) No time travel allowed.

Your DNS example did not weaken requirement #1, because it didn't 
identify a server or proxy that could calculate the hash. Your "relay 
back" either used the browser itself as a websocket proxy or it meant 
time travel.

-- Scott
> Adam
>
>
>
>

v2.23.0 | Report a Bug | By Email