Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
Zhong Yu <zhong.j.yu@gmail.com> Wed, 01 December 2010 19:43 UTC
Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 351563A6C9A for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 11:43:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bHwYgKe+4a2 for <hybi@core3.amsl.com>; Wed, 1 Dec 2010 11:43:49 -0800 (PST)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id B25E53A6CF2 for <hybi@ietf.org>; Wed, 1 Dec 2010 11:43:48 -0800 (PST)
Received: by qyk11 with SMTP id 11so7831258qyk.10 for <hybi@ietf.org>; Wed, 01 Dec 2010 11:45:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=wMMunXgEZ2WbYrhV+2jnGvqQwK22vRDB2ZHER1vRz3I=; b=rnApyB0JtTTD/5p0uAhldST1WVD91GOOp/J8WfpqM71NO3fJLyHSzNhUdJsH2JkVHZ 5mCkl8g8/MZ/qWK5m/RARiJRcNfdWSITJdJVhiC5rrLa8WqAPefh7w+PM2W0p9WSyDXh YiI40ielknyZRf6wBpjD3W0oqqtbuSpVJS7H8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=p0mEkTLPDeGFv9UL7jPTZXFC9vV2QL7CNWUQuDBUeU1QXbElX9exp4J2/096WaXVFJ jPrgTutvkQSdoyMZ+rkMDUFYMxs8/a1DQ6EpoJsQ5NyujrX/IAbfXaM9AaCqFHCwM6uP MQ8mv44dI1w3YkyuI32fdc4aMUBrVsIimIuqA=
MIME-Version: 1.0
Received: by 10.224.20.5 with SMTP id d5mr8188297qab.187.1291232702008; Wed, 01 Dec 2010 11:45:02 -0800 (PST)
Received: by 10.220.189.136 with HTTP; Wed, 1 Dec 2010 11:45:01 -0800 (PST)
In-Reply-To: <AANLkTimwEtKrJm5KxTYZ4wrtONBYDTGjE5LF7__AHBEU@mail.gmail.com>
References: <AANLkTik0wR-Oag5YJJDmdiSy67WW6TMaHmqWEo4o5kGW@mail.gmail.com> <AANLkTimwEtKrJm5KxTYZ4wrtONBYDTGjE5LF7__AHBEU@mail.gmail.com>
Date: Wed, 01 Dec 2010 13:45:01 -0600
Message-ID: <AANLkTik+pmVoyK0fkz6mG0+KDqdvyVxaYtM9w7KDo4Xa@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 19:43:50 -0000
On Wed, Dec 1, 2010 at 11:00 AM, Adam Barth <ietf@adambarth.com> wrote: > On Tue, Nov 30, 2010 at 7:33 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote: >> In the singular successful case, the transparent proxy ignored these >> non-http bytes and constructed a http request anyway, at least, it >> extracted the "Host" header. For this attack to be really useful, it's >> not enough that the bytes are tunneled to target.com. The proxy must >> strip non-http bytes and send a compliant http request to target.com. >> Or, the proxy forwards all bytes to target.com, and target server >> strips non-http bytes and reconstructs the intended http request. Did >> one of these two things actually happened in the experiment? > > We didn't testing the framing in this experiment, just the handshakes. The attack occurs after handshake, doesn't it? The attack data must be framed, otherwise how do you explain that in the POST case, the attack succeeds 1376 times, while in the Upgrade case, it only succeeds 1 time. What's the difference if it's not due to framing? > The target server was a stock Apache server. That means the proxy > forwarded the request in such a form that stock Apache was willing to > respond to it. Apache will response 400 Bad Request to garbage inputs. That shouldn't be counted as a successful attack. It is unclear from your paper how it is counted. >> I'm voting for CONNECT method with real Host header. > > IMHO, we should adopt the CONNECT handshake first and discuss the > details of what Host header to send second. How about CONNECT+Upgrade, everybody is happy. > >> = Inconsistent data regarding cache poisoning attack = >> >> Although the Upgrade handshake reduced firewall circumvention attack >> to 1/1000, it does not have the same luck with cache poisoning attack, >> according to the paper. 50% attacks still got though. That is *very* >> surprising. Caching proxies must demarcate requests precisely, how do >> they have such a higher tolerance of corrupt stream? How come 99.9% >> host-based-routing proxies are busted by the stream, yet 50% of >> ip-based caching proxies are not busted? I must respectfully >> disbelieve the result for now. > > I'm not sure where you got the 50% number from. You're reading the > table incorrectly. Each of the different handshakes (POST, Upgrade, > and CONNECT) are different experimental conditions (technically > within-subjects conditions). To understand the data in Table II, you > should read the data vertically, not horizontally. We can still cross examine the data and find something mysterious. >From POST to Upgrade column, the firewall circumvention attack successes decrease from 1376 to 1. If I'm mistaken, please correct me with the right explanation, but I believe the POST experiment sent clean/compliant HTTP requests, and the Upgrade experiment sent the attack data framed - the non-http bytes busted 99.9% parsers used by the transparent proxies. Yet, the cache poisoning attack success count only drops from 15 to 8. This attack also depends on proxies' ability to parse http requests. If the non-http bytes in the Upgrade protocol would bust 99.9% parsers, we should see the attack success count drop to 15/1000 = 0. So I must question the validity of the 8 success attacks. (note I also questioned the 1 success attack in the firewall circumvention case) More details are needed to analyze the experiments and the results. This is important because these 9 cases are the only evidence presented so far that plaintext pay load in simple framing could be misinterpreted as compliant HTTP requests although it is not. The evidence is used to argue for stream obfuscation. As the only evidence, it should be examined carefully. > > One way to think about the effectiveness of the cache poisoning attack > is in exploits per dollar. We show that (without any targeting) an > attacker can achieve 8 exploits for $100, which is concerning. > > Adam >
- [hybi] Experiment comparing Upgrade and CONNECT h… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Ian Fette (イアンフェッティ)
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… Julian Reschke
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Scott Ferguson
- Re: [hybi] Experiment comparing Upgrade and CONNE… Brian
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Joe Mason
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Ian Fette (イアンフェッティ)
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Willy Tarreau
- Re: [hybi] Experiment comparing Upgrade and CONNE… Eric Rescorla
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… John Tamplin
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Maciej Stachowiak
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Greg Wilkins
- Re: [hybi] Experiment comparing Upgrade and CONNE… Zhong Yu
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Bjoern Hoehrmann
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth
- Re: [hybi] Experiment comparing Upgrade and CONNE… Adam Barth