IETF Logo Mail Archive

Re: [hybi] Websocket: two protocols into one, and Internet rules broken

Philipp Serafin <phil127@gmail.com> Thu, 16 June 2011 20:56 UTC

Return-Path: <phil127@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEB7B11E8234 for <hybi@ietfa.amsl.com>; Thu, 16 Jun 2011 13:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXmECROYT5ib for <hybi@ietfa.amsl.com>; Thu, 16 Jun 2011 13:56:23 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id D320911E80CF for <hybi@ietf.org>; Thu, 16 Jun 2011 13:56:22 -0700 (PDT)
Received: by wyb29 with SMTP id 29so1522276wyb.31 for <hybi@ietf.org>; Thu, 16 Jun 2011 13:56:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=t3QwQmjUocrpOUGwYTvK7tgYDhOPqqbLAiIn2mN99i8=; b=ZWBBvZpIgIqIh5YHXZbrCqb3M9D7UFSpoOld4BWDJnrm42hPsLKJOlDtJJFoGFz5ly rFJid4/cU+td7nNb/y02ic+0t5bDdZ6MfbcOc0t/zNYCQsenjUbyJtxnGFEtAfFEI6/1 ZpPeWG4VrAv2r2MVlnPRVMqaX+VcFQeWImjxY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=SuHl3rxQLqKa+UQLMaGO4/9fJcbqjYBteEjxDUI7C7Fe68QLBVmoQyA+FpJ6d0gnx0 PnN71zELlK1Z2NMpBZ4/eaISkXTpNykQyVGRdtdYa+S221RM61Z93G1wg1mE/UEN6aWm Jdi5jCzRbvWO/upTngdbz8ikTpOxL12cLiwz8=
Received: by 10.227.6.18 with SMTP id 18mr1402107wbx.66.1308257781885; Thu, 16 Jun 2011 13:56:21 -0700 (PDT)
Received: from [212.201.75.90] (pptp-212-201-75-90.pptp.stw-bonn.de [212.201.75.90]) by mx.google.com with ESMTPS id fm14sm437376wbb.24.2011.06.16.13.56.20 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 16 Jun 2011 13:56:20 -0700 (PDT)
Message-ID: <4DFA6DE9.7090800@gmail.com>
Date: Thu, 16 Jun 2011 22:56:09 +0200
From: Philipp Serafin <phil127@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: ifette@google.com, Hybi <hybi@ietf.org>
References: <BANLkTim4pKwx6wYC3WwXFWET+gx0bnjigQ@mail.gmail.com> <4DFA08A5.3010608@weelya.com> <BANLkTi=JGeFmkYcwqQJ_xe=3CGrXwHxHPg@mail.gmail.com> <4DFA1173.9050509@weelya.com> <BANLkTi=LAiw+JvCOc3VPrXnmog7AkSWwCw@mail.gmail.com> <4DFA15E9.50800@weelya.com> <BANLkTikdUneox_4tpMm-EjXPQEEbN7sF4w@mail.gmail.com> <BANLkTik4y_fRd3pEuPdrwESb7ftdbuvk9w@mail.gmail.com> <BANLkTin2000Q8=LUuuUqkfkX_GRrYAnNDw@mail.gmail.com> <BANLkTi=w2SC5MFA21NrYhsV-ZyN5hzrSiQ@mail.gmail.com>
In-Reply-To: <BANLkTi=w2SC5MFA21NrYhsV-ZyN5hzrSiQ@mail.gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Subject: Re: [hybi] Websocket: two protocols into one, and Internet rules broken
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2011 20:56:23 -0000

I think it would be useful to explicitly state the kinds of exploits
that could happen though.

So far, it looks that the only situation where a XMLHTTP-treated-as-WS
request could do harm were when it could access a normally
origin-protected resource from a foreign origin. (From what I
understand, the handshake doesn't protect against attacks on
intermediaries, that's the job of the masking).

However, to properly origin-protect a resource, the server already needs
to check the sec-websocket-origin header - so it is already forced to do
validation.
On the other hand, if the operators of the server don't bother with
origin checks and allow the resource to be accessed cross-origin I don't
see any additional security risks in (trying to) access the resource via
a very kludgy XMLHTTP request than via a WS connection.

I know this has probably been the most-discussed topic on this list and
it's not my intention to cause any additional eye rolling. I just think
it should be taken care to clarify the reasoning behind the handshake,
since this will probably a lot of discussion in web developer forums
once WS is up and running.

Regards,
Philipp Serafin

Am 16.06.2011 22:39, schrieb Ian Fette (イアンフェッティ):
> Historically, many servers are lazy. They will not bother validating
> whatever the client sends, and will just return some value and then
> get exploited. By forcing the server to prove something to the client,
> we essentially also force the server to validate at least part of the
> client's handshake (rather than just hardcoding in some 101 Upgrade WS
> response). So, by making the server prove something to the client,
> it's a way of forcing the server to actually take some steps that have
> a side effect of protecting it (e.g. this /forces/ the server to parse
> the Sec-WebSocket-Key header.)

v2.23.0 | Report a Bug | By Email