Re: [hybi] Web sockets and existing HTTP stacks
Greg Wilkins <gregw@webtide.com> Wed, 03 February 2010 23:03 UTC
Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A10053A699E for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 15:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.51
X-Spam-Level:
X-Spam-Status: No, score=-2.51 tagged_above=-999 required=5 tests=[AWL=0.089, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEGjHG4gDKX8 for <hybi@core3.amsl.com>; Wed, 3 Feb 2010 15:03:01 -0800 (PST)
Received: from mail-bw0-f219.google.com (mail-bw0-f219.google.com [209.85.218.219]) by core3.amsl.com (Postfix) with ESMTP id 16C613A6996 for <hybi@ietf.org>; Wed, 3 Feb 2010 15:03:00 -0800 (PST)
Received: by bwz19 with SMTP id 19so656915bwz.28 for <hybi@ietf.org>; Wed, 03 Feb 2010 15:03:41 -0800 (PST)
Received: by 10.204.156.212 with SMTP id y20mr107867bkw.126.1265238220546; Wed, 03 Feb 2010 15:03:40 -0800 (PST)
Received: from ?10.10.1.11? (60-242-119-126.tpgi.com.au [60.242.119.126]) by mx.google.com with ESMTPS id 14sm3576204bwz.13.2010.02.03.15.03.35 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 03 Feb 2010 15:03:39 -0800 (PST)
Message-ID: <4B6A00C0.3060305@webtide.com>
Date: Thu, 04 Feb 2010 10:03:28 +1100
From: Greg Wilkins <gregw@webtide.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: Vladimir Katardjiev <vladimir@d2dx.com>
References: <557ae280911171402v7546e5e7n93a1e57f87dc10e5@mail.gmail.com> <ad99d8ce1002012139l3b8f525bj9caf7861332f3d18@mail.gmail.com> <1427E183-FDBC-4854-9455-B93AB28DAB03@apple.com> <ad99d8ce1002012343n132169f8wbaacc1cf4efe2f87@mail.gmail.com> <31123817-6D3F-489D-9F48-109AC93E6769@apple.com> <ad99d8ce1002030000i566f3517qddf4e62f386c9211@mail.gmail.com> <4B692EDB.1060300@gmx.de> <E9DF7FE9-70F0-4268-8CEF-1007D71F9FBB@apple.com> <ad99d8ce1002030107i5994c847yf639b660dc64cdc9@mail.gmail.com> <7CB6EE56-B840-4368-ABAF-C8AA1CCE6600@apple.com> <ad99d8ce1002030956w7503957eg8bd6e88da66a884a@mail.gmail.com> <D8279D52-AE47-46F6-84DA-8E348116662A@apple.com> <ADFF563C-46E7-457D-86BE-6EFEB1F57AFD@d2dx.com>
In-Reply-To: <ADFF563C-46E7-457D-86BE-6EFEB1F57AFD@d2dx.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: hybi@ietf.org
Subject: Re: [hybi] Web sockets and existing HTTP stacks
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 23:03:02 -0000
Vladimir, I think that the idea is that the attacker is not able to pick the nonce and thus not able to predict the response. The attacker would trick some webuser to run their js, it would open a websocket connection to some URL, but it would be the browser that thinks of the nonce, so even if the attacker was able to inject arbitrary text into the response, they would not know the nonce and would not be able to insert the correct hash. The browser would see the wrong hash and not complete the handshake. I still think that this is putting too much responsibility on websocket to not be usable to exploit an insecure server. The security problem here is that the server is injectable, not that websockets can be used to exploit it. But then the nonce proposal is really easy to implement, so there is little harm. I'm also not convinced that if the browser was tricked into opening a websocket to a HTTP server, that it could send any messages that would look like valid HTTP requests. If in doubt, then perhaps a few more fixed bytes on every WS frame are needed. If the bytes "WS" were sent before every message, then nobody could spoof a "GET ..." or a "POST ..." - which I think is impossible anyway with both length and sentinel framing. But if anybody from chrome/mozilla/opera wants to experiment with the nonce, I can have it implemented in the jetty server in about 10 minutes. cheers Vladimir Katardjiev wrote: > For reference, linking the message from Maciej with the problem statement. http://www.ietf.org/mail-archive/web/hybi/current/msg01198.html > > On 3 feb 2010, at 23.17, Maciej Stachowiak wrote: > >>> You can still do [the nonce] as an HTTP header. >> Indeed! And that was my original proposal. But I have been advised that the status line could afford stronger protection. > > I can appreciate the logic in having the mandatory response before the request is able to manipulate the output. On the other hand, if the request has anyway successfully manipulated the first bytes of the output to state "HTTP/1.1 101 Web Socket Protocol Handshake", it stands to reason that a couple of more bytes at the end of that won't pose much of a difficulty for an attacker. (Alternatively, the remote host is a WebSocket aware endpoint, at which point you don't have a cross-protocol vulnerability anyway). > > In any event, assuming the nonce is unpredictable, the only case in which an unaware server can be tricked into sending back a correct response is if the client is able to make the server compute it. Since this is tantamount to executing arbitrary code on the server, I'd say that's a case that can't be combated, as arbitrary code can always send back the proper response. > > For the second case, I don't see at all why this would help on a websocket server that doesn't validate input data... or on a websocket server at all. Since the nonce is opaque to the server, why can't I just send something that pretends to be a nonce from my xhr? It should properly parse, as long as it's [a-zA-Z0-9]+ and the server will happily reply. But it stands to reason if you don't validate your input you're open to attacks. The best you can do is always force the WebSocket server to validate the handshake (which, if I'm not mistaken, you're arguing anyway?) > > Vladimir > > > > ------------------------------------------------------------------------ > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Jamie Lokier
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Greg Wilkins
- [hybi] Fwd: Web sockets and existing HTTP stacks Christian Biesinger
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Jamie Lokier
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Christian Biesinger
- Re: [hybi] Fwd: Web sockets and existing HTTP sta… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Ian Hickson
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Alexey Proskuryakov
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Justin Erenkrantz
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Jamie Lokier
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Justin Erenkrantz
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Jamie Lokier
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Mark Nottingham
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Ian Hickson
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Greg Wilkins
- Re: [hybi] [whatwg] Web sockets and existing HTTP… Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks Ian Hickson
- Re: [hybi] Web sockets and existing HTTP stacks Justin Erenkrantz
- Re: [hybi] Web sockets and existing HTTP stacks Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks L.Wood
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Justin Erenkrantz
- Re: [hybi] Web sockets and existing HTTP stacks SM
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Mark Nottingham
- Re: [hybi] Web sockets and existing HTTP stacks Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Pieter Hintjens
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks SM
- Re: [hybi] Web sockets and existing HTTP stacks Greg Wilkins
- [hybi] Sentinel framing. was: Web sockets and exi… Greg Wilkins
- Re: [hybi] Web sockets and existing HTTP stacks Greg Wilkins
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Francis Brosnan Blazquez
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Jamie Lokier
- Re: [hybi] Web sockets and existing HTTP stacks Greg Wilkins
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Mridul Muralidharan
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Julian Reschke
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Roberto Peon
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak
- Re: [hybi] Web sockets and existing HTTP stacks Vladimir Katardjiev
- Re: [hybi] Web sockets and existing HTTP stacks Greg Wilkins
- Re: [hybi] Web sockets and existing HTTP stacks Maciej Stachowiak