Re: [hybi] Experiment comparing Upgrade and CONNECT handshakes

[Maciej Stachowiak <mjs@apple.com>]

On Dec 1, 2010, at 11:45 AM, Zhong Yu wrote:

> We can still cross examine the data and find something mysterious.
> 
> From POST to Upgrade column, the firewall circumvention attack
> successes decrease from 1376 to 1. If I'm mistaken, please correct me
> with the right explanation, but I believe the POST experiment sent
> clean/compliant HTTP requests, and the Upgrade experiment sent the
> attack data framed - the non-http bytes busted 99.9% parsers used by
> the transparent proxies.
> 
> Yet, the cache poisoning attack success count only drops from 15 to 8.
> This attack also depends on proxies' ability to parse http requests.
> If the non-http bytes in the Upgrade protocol would bust 99.9%
> parsers, we should see the attack success count drop to 15/1000 = 0.
> 
> So I must question the validity of the 8 success attacks. (note I also
> questioned the 1 success attack in the firewall circumvention case)
> More details are needed to analyze the experiments and the results.
> 
> This is important because these 9 cases are the only evidence
> presented so far that plaintext pay load in simple framing could be
> misinterpreted as compliant HTTP requests although it is not. The
> evidence is used to argue for stream obfuscation. As the only
> evidence, it should be examined carefully.

Perhaps Adam & company could publish the experiement code and cite it in the paper, so that anyone who is skeptical of the results could attempt to replicate the experiment or attempt to identify methodological errors. (It's sad that this is not the norm for CS papers.)

It might even be possible, though more work, to attempt replication solely based on the info in the paper.

Regards,
Maciej