IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Fri, 08 October 2010 23:56 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DF253A698B for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 16:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.986
X-Spam-Level:
X-Spam-Status: No, score=-1.986 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95-mE-Xvw0r4 for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 16:56:49 -0700 (PDT)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 159843A696D for <hybi@ietf.org>; Fri, 8 Oct 2010 16:56:49 -0700 (PDT)
Received: by gwb20 with SMTP id 20so611848gwb.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 16:57:54 -0700 (PDT)
Received: by 10.150.160.13 with SMTP id i13mr3886718ybe.400.1286582274223; Fri, 08 Oct 2010 16:57:54 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id u3sm483884yba.22.2010.10.08.16.57.53 (version=SSLv3 cipher=RC4-MD5); Fri, 08 Oct 2010 16:57:53 -0700 (PDT)
Received: by iwn10 with SMTP id 10so1730914iwn.31 for <hybi@ietf.org>; Fri, 08 Oct 2010 16:57:52 -0700 (PDT)
Received: by 10.42.186.66 with SMTP id cr2mr352013icb.525.1286582272212; Fri, 08 Oct 2010 16:57:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.149.20 with HTTP; Fri, 8 Oct 2010 16:57:21 -0700 (PDT)
In-Reply-To: <4CAFAC2B.5000800@caucho.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 08 Oct 2010 16:57:21 -0700
Message-ID: <AANLkTi=0WOHJ-+JRKz3biDKaW1qRrM7pXCuqYhB4M3X3@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2010 23:56:50 -0000

On Fri, Oct 8, 2010 at 4:41 PM, Scott Ferguson <ferg@caucho.com> wrote:
> Adam Barth wrote:
>> Concretely, consider http://www.adambarth.com/.  My web site is a
>> virtual host on a physical server in a 1and1 datacenter.  I'm
>> perfectly capable of placing a PHP script on my virtual host.  If the
>> PHP script is able to complete the web socket handshake, then I can
>> open a WebSocket connection to www.adambarth.com on port 80 from the
>> user's browser.  Once the WebSocket handshake completes, I can now
>> talk directly to the 1and1 server over more-or-less a raw socket,
>> which means I can spoof further HTTP requests and potentially attack
>> other virtual hosts that happen to be on the same physical machine,
>> which is bad news bears.
>
> So the attacker has a PHP script running on the same physical machine as the
> target site, on the same VM guest as the target, and using the same shared
> web server as the target, and has decided that a cross protocol attack is
> the appropriate vector against a target on the same machine as his PHP
> script.
>
> I'll let others decide if that scenario is something the WebSocket protocol
> needs to address.

These scenarios are very real.  My web site is certainly not the only
virtual PHP hosting on the Internet.  :)

> However, I will point out that using "WEBSOCKET" as the HTTP method would
> let the ISP reject the initial request, protecting other virtual hosts from
> this attack.

That assumes the ISP is aware of WebSockets.  We're considering
vulnerabilities in servers that are not upgraded to understand
WebSockets.

Adam

v2.23.0 | Report a Bug | By Email