IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Maciej Stachowiak <mjs@apple.com> Mon, 27 September 2010 00:44 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E3B13A6A58 for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 17:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.475
X-Spam-Level:
X-Spam-Status: No, score=-104.475 tagged_above=-999 required=5 tests=[AWL=-1.723, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYPB3wY9kt9i for <hybi@core3.amsl.com>; Sun, 26 Sep 2010 17:44:19 -0700 (PDT)
Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by core3.amsl.com (Postfix) with ESMTP id 75D513A69FB for <hybi@ietf.org>; Sun, 26 Sep 2010 17:44:19 -0700 (PDT)
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out3.apple.com (Postfix) with ESMTP id D8A9FAB58234 for <hybi@ietf.org>; Sun, 26 Sep 2010 17:44:56 -0700 (PDT)
X-AuditID: 1180711d-b7b8eae0000035ac-3c-4c9fe9088ba0
Received: from elliott.apple.com (elliott.apple.com [17.151.62.13]) by relay13.apple.com (Apple SCV relay) with SMTP id 32.9D.13740.809EF9C4; Sun, 26 Sep 2010 17:44:56 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_5opCkaCNv4RfMNv+yv+B2g)"
Received: from [10.0.1.14] (c-69-181-196-33.hsd1.ca.comcast.net [69.181.196.33]) by elliott.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L9D00KFNREW8080@elliott.apple.com> for hybi@ietf.org; Sun, 26 Sep 2010 17:44:56 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com>
Date: Sun, 26 Sep 2010 17:44:55 -0700
Message-id: <E2D38FF3-F1B9-4305-A7FC-A9690D2AEB4A@apple.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <62B5CCE3-79AF-4F60-B3A0-5937C9D291D7@apple.com> <AANLkTikKc+4q_Q1+9uDo=ZpFF6S49i6vj2agZOGWVqKm@mail.gmail.com>
To: Alexander Voronin <alexander.voronin@gmail.com>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAA==
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 00:44:20 -0000

Here is an email from February where I summarized some of the risks from cross-protocol attacks for WebSocket:

http://www.ietf.org/mail-archive/web/hybi/current/msg01198.html

Sorry about the formatting, it seems that the archives didn't like my mail client. You may have an easier time reading it if you copy that web page into an editor that wraps lines.

Important thing to keep in mind: there are potential attacks in either direction. We must make sure that WebSocket protocol cannot be used for cross-protocol attacks on existing HTTP servers, and we want to make sure that WebSocket servers are not vulnerable to cross-protocol attacks from HTTP.

Cross-protocol attacks are a subtle and complicated issue. If you search for the phrase "cross-protocol attacks" on your favorite search engine you can find more issues about this general area.

Regards,
Maciej 

On Sep 24, 2010, at 2:52 AM, Alexander Voronin wrote:

> What kind of cross-protocol attacks You are talking about all this time? Using simplest handshake with framed data transfer and relied on browser security policies it seems to be impossible. Do You have any real examples on this?
> 
> 2010/9/24 Maciej Stachowiak <mjs@apple.com>
> 
> 
> This proposal does not appear to defend against a cross-protocol attack on a WebSocket server using a browser-hosted HTTP API.
> 
> It also appears to add more round trips before actual message sending can begin in either direction.
> 
> Regards,
> Maciej
> 
> 
> 
> 
> 
> -- 
> когда я опустился на самое дно, снизу мне постучали..

v2.23.0 | Report a Bug | By Email