IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Willy Tarreau <w@1wt.eu> Sat, 09 October 2010 20:39 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62FF33A692B for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 13:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.791
X-Spam-Level:
X-Spam-Status: No, score=-2.791 tagged_above=-999 required=5 tests=[AWL=-0.748, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-lF6yHbrkXi for <hybi@core3.amsl.com>; Sat, 9 Oct 2010 13:39:14 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 52F933A6929 for <hybi@ietf.org>; Sat, 9 Oct 2010 13:39:14 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o99Ke9Hm009115; Sat, 9 Oct 2010 22:40:09 +0200
Date: Sat, 09 Oct 2010 22:40:09 +0200
From: Willy Tarreau <w@1wt.eu>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20101009204009.GP4712@1wt.eu>
References: <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com> <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <4CAFAC2B.5000800@caucho.com> <55bva61goeqtn0lifgjt5uihf50obh7kf4@hive.bjoern.hoehrmann.de> <4CAFB9C4.6030905@caucho.com> <AANLkTinv5Ym5jwUEqS76z3UkVa7GpmOBT_WXhBbFK0-m@mail.gmail.com> <20101009055723.GL4712@1wt.eu> <AANLkTimY2DjxgZybibSRtc7L34Wns2KhQC=Wa9K6PYku@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AANLkTimY2DjxgZybibSRtc7L34Wns2KhQC=Wa9K6PYku@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: hybi <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 20:39:16 -0000

On Sat, Oct 09, 2010 at 09:43:21AM -0700, Eric Rescorla wrote:
> On Fri, Oct 8, 2010 at 10:57 PM, Willy Tarreau <w@1wt.eu> wrote:
> 
> > On Fri, Oct 08, 2010 at 05:43:06PM -0700, Eric Rescorla wrote:
> > > This case definitely needs to be addressed. It's a completely standard
> > > hosting
> > > configuration.
> >
> > it is correctly addressed by respecting the HTTP protocol which consists in
> > sending Connection: close in the request so that there is no risk that
> > either
> > the web server or any intermediary consider additional data as a second
> > request.
> >
> 
> As I understand this suggestion, for it to provide security it relies on
> servers always
> treating any message with Connection: close as the final message. I don't
> know if
> servers always do this correctly, but since it's not really required for
> interoperability,
> I suspect that some do not.

I really don't buy that. It's been the default mode for HTTP till 1.0 and
the default switched to keep-alive with 1.1. Supporting this header is a
huge requirement to support old browsers, crawlers and various monitoring
tools, otherwise you get back to the situation where both sides wait for
the other one to close. Saying that some servers won't support Upgrade
makes some sense, but saying that some won't support close clearly does
not.

> All other things being equal, I would generally prefer to have a design
> which failed
> safely even if the server did not process Connection: close correctly. I
> believe that the
> design that Adam and I proposed in fact satisfies that desideratum

But it causes other issues caused by its breakage of interoperability with
HTTP content-aware infrastructure components such as URL switchers and load
balancers which are already deployed in almost all shared hosting environments
(namely URLs, Host header and Cookies). So it maybe it satisfies the
requirement of protection against some types of not yet identified servers,
but it does not satisfy anymore the compatibility with existing
infrastructure.

Also, if we're talking about imaginary server implementations, why not
agree that some servers could systematically experience an exploitable
buffer overflow and fire /bin/sh everytime they receive a CONNECT request
with anything that does not look like an IP address ?

We can imagine many things, but at one point, when paranoia prevents one
from satisfying basic requirements, it must be reasonable. Especially
since the advertised goal is to protect from remotely controlled browsers
that will already be able to do much more things by exploiting plain HTTP
than what they can do with a reasonable WS handshake.

Regards,
Willy

v2.23.0 | Report a Bug | By Email