IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Adam Barth <ietf@adambarth.com> Wed, 01 September 2010 17:16 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4F1503A6A29 for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 10:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[AWL=-0.130, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bBBjBwWPZBC for <hybi@core3.amsl.com>; Wed, 1 Sep 2010 10:16:19 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by core3.amsl.com (Postfix) with ESMTP id 0F7063A69B7 for <hybi@ietf.org>; Wed, 1 Sep 2010 10:16:18 -0700 (PDT)
Received: by qyk1 with SMTP id 1so847854qyk.10 for <hybi@ietf.org>; Wed, 01 Sep 2010 10:16:49 -0700 (PDT)
Received: by 10.224.54.140 with SMTP id q12mr5288523qag.319.1283361409111; Wed, 01 Sep 2010 10:16:49 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id r1sm11327668qcq.34.2010.09.01.10.16.46 (version=SSLv3 cipher=RC4-MD5); Wed, 01 Sep 2010 10:16:46 -0700 (PDT)
Received: by iwn3 with SMTP id 3so7667106iwn.31 for <hybi@ietf.org>; Wed, 01 Sep 2010 10:16:45 -0700 (PDT)
Received: by 10.231.11.11 with SMTP id r11mr9066884ibr.135.1283361405203; Wed, 01 Sep 2010 10:16:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.187.218 with HTTP; Wed, 1 Sep 2010 10:16:15 -0700 (PDT)
In-Reply-To: <4C7E7D04.5000902@caucho.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com> <4C7BF060.7070501@isdg.net> <4C7C2A33.6010405@caucho.com> <4C7C746F.1040006@isdg.net> <4C7D2B74.8030702@caucho.com> <4C7D5B20.9030503@isdg.net> <4C7DAECB.7050905@caucho.com> <AANLkTinv-mkMD4LkEZaqmYOjLNBBQ5QHDJHVZ9R=VMyp@mail.gmail.com> <4C7E7D04.5000902@caucho.com>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 01 Sep 2010 10:16:15 -0700
Message-ID: <AANLkTikZfgWfFqWEyM3e0+PJYRpbaeoLgBT_88neA=Wk@mail.gmail.com>
To: Scott Ferguson <ferg@caucho.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 17:16:20 -0000

On Wed, Sep 1, 2010 at 9:19 AM, Scott Ferguson <ferg@caucho.com> wrote:
> Adam Barth wrote:
>> On Tue, Aug 31, 2010 at 6:39 PM, Scott Ferguson <ferg@caucho.com> wrote:
>>> a) To validate the server as websocket server (as opposed to a SMTP
>>> server),
>>> the client creates a securely-generated random nonce, c_nonce and sends
>>> it
>>> in C1. The server sends back a hash in S2, like H(c_nonce, "WebSocket").
>>> Since no server other than a websocket server will generate that hash,
>>> you've verified that the server is a websocket server.
>>
>> This assumption is not correct.  Consider, for example, a protocol
>> like DNS or an HTTP proxy where the attacker is given some control
>> over the server's response.  We have no guarantee that S2 was actually
>> generated by the server and not by some other entity and just relayed
>> by the server.
>>
>
> Yes, and that's a very important point.
>
> If the hijacker has access to c_nonce or can predict it (like a non-securely
> random c_nonce), then the hijacker can generate the hash and trick a
> non-websocket server into returning it. The browser must absolutely keep the
> c_nonce secret from the hijacker and prevent the hijacker from computing
> H(c_nonce, "WebSocket") for the hash validation of the server to work.
>
> But if the hijacker can't generate H(c_nonce, "WebSocket") himself, though,
> he can't trick some non-websocket server into computing that hash. Tricking
> a server into echoing or simple manipulation, sure, but not forcing a
> computation of a hash foreign to the server's protocol.
>
> (The same issue applies to the current protocol, even though the hash
> function is different.)

Indeed.  The security argument for the non-TLS handshake then relies
not only upon the nonces but also upon the bytes of the protocol that
surround the nonces, which is one reason why its security is dodgy.

Adam

v2.23.0 | Report a Bug | By Email