IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Adam Barth <ietf@adambarth.com> Mon, 11 October 2010 17:10 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B0853A6B01 for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 10:10:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.984
X-Spam-Level:
X-Spam-Status: No, score=-1.984 tagged_above=-999 required=5 tests=[AWL=-0.007, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ecjtIgPBHVAz for <hybi@core3.amsl.com>; Mon, 11 Oct 2010 10:10:35 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id CD90E3A6867 for <hybi@ietf.org>; Mon, 11 Oct 2010 10:10:34 -0700 (PDT)
Received: by qyk8 with SMTP id 8so1180719qyk.10 for <hybi@ietf.org>; Mon, 11 Oct 2010 10:11:46 -0700 (PDT)
Received: by 10.224.87.89 with SMTP id v25mr4711406qal.163.1286817092569; Mon, 11 Oct 2010 10:11:32 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by mx.google.com with ESMTPS id l14sm3718543qck.29.2010.10.11.10.11.30 (version=SSLv3 cipher=RC4-MD5); Mon, 11 Oct 2010 10:11:30 -0700 (PDT)
Received: by vws12 with SMTP id 12so820389vws.31 for <hybi@ietf.org>; Mon, 11 Oct 2010 10:11:29 -0700 (PDT)
Received: by 10.220.95.204 with SMTP id e12mr2008584vcn.146.1286817089767; Mon, 11 Oct 2010 10:11:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.72.205 with HTTP; Mon, 11 Oct 2010 10:10:57 -0700 (PDT)
In-Reply-To: <4CB341CC.90300@caucho.com>
References: <4CAFA043.10101@caucho.com> <AANLkTi=eo-cjBz160FN0cn53v4-CpDSYaEneqkr_ZP7k@mail.gmail.com> <AANLkTi=B1rGBgi4jYZ_TqX9Qt1xtXoyneZtztnLOkW6b@mail.gmail.com> <4CAFBD75.4020004@caucho.com> <r7gva6tv01olonop6co9ftn63dlqmhnts3@hive.bjoern.hoehrmann.de> <4CB0915A.1030400@caucho.com> <at41b6tsldo70ddhkokv8laoie5m99p35s@hive.bjoern.hoehrmann.de> <4CB0A27D.9000307@caucho.com> <m2c1b6dkeesdbh66no4hdfn86mhkq1mfiv@hive.bjoern.hoehrmann.de> <4CB10E6D.8000706@caucho.com> <6o32b65n4kjrueo7e5fb1n9n3m2g7lfg5r@hive.bjoern.hoehrmann.de> <4CB341CC.90300@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 11 Oct 2010 10:10:57 -0700
Message-ID: <AANLkTinJM9fK2p2-kp5-PaNsWGA9EiJgxFbOXwC0hE+v@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: hybi <hybi@ietf.org>, Bjoern Hoehrmann <derhoermi@gmx.net>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 17:10:38 -0000

On Mon, Oct 11, 2010 at 9:56 AM, Scott Ferguson <ferg@caucho.com> wrote:
> Your attack assumes a needle in a haystack on the part of the attacker. Not
> only must the attacker add a site to the target's own web server,

This is not as hard as you might think:

http://people.csail.mit.edu/tromer/papers/cloudsec.pdf (see Section 7).

> he must
> hijack one of the target's own browsers while they're in the office which is
> a tiny universe of browsers.

This is also not that hard.  When thinking about browser security, we
usually give this to the attacker for free.

> Adam insisted on a non-upgraded HTTP server. Until he drops that
> requirement, you can't change the attack to an upgraded WebSocket-aware
> server.

This requirement isn't going anywhere.  I was surprised that it's not
in the requirements document.  It should be.

>> If it allows it for some then the
>> protection is meaningless, as the WEBSOCKET request goes to the attacker
>> (and similarily on point 6, the DELETE request goes to the attacker).
>
> You didn't address point #6, the open DELETE.
>
> The target is pre-compromised because it has an open DELETE (point #6) and
> the target is pre-compromised because it's on the same machine as the
> attacker (point #1).
>
> You're requiring a pre-compromised target to make this attack work.

I'm not sure what pre-compromised means.  I'm not sure that I'd run my
servers in this configuration, but that doesn't mean lots of other
people don't.

>> I do not quite understand point 4, but
>
> The point of #4 is that the universe of potential targets is restricted to
> those who don't care about security. Any site can have its own web server
> for $11/month, eliminating this attack entirely. No site seriously concerned
> with security would use a shared machine configuration because it's
> basically pre-compromised.

Well, we're interested in protecting the little guy too.

> In particular this restricts #3, the universe of browsers the target could
> hijack, because a small site with no security considerations is a tiny
> office with few target browsers.

Getting targeted folks to visit your web site isn't really that hard.
In fact, there's an entire industry devoted to exactly that:
advertising.  Failing that, targeted spam campaigns can also be very
effect.

By in any case, these are just the usual threat environment we work
with.  It's like asking how the attacker got a ciphertext/plaintext
pair to analyze when thinking about the security of a block cipher.

Adam

v2.23.0 | Report a Bug | By Email