Re: [hybi] handshake security (was: Frame size)
Ian Hickson <ian@hixie.ch> Mon, 19 April 2010 04:18 UTC
Return-Path: <ian@hixie.ch>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01CDF28C0F3 for <hybi@core3.amsl.com>; Sun, 18 Apr 2010 21:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.812
X-Spam-Level:
X-Spam-Status: No, score=-0.812 tagged_above=-999 required=5 tests=[AWL=-0.627, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-TmIGQEKzRU for <hybi@core3.amsl.com>; Sun, 18 Apr 2010 21:18:50 -0700 (PDT)
Received: from looneymail-a1.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id 6B4C728C0FA for <hybi@ietf.org>; Sun, 18 Apr 2010 21:18:47 -0700 (PDT)
Received: from ps20323.dreamhostps.com (ps20323.dreamhost.com [69.163.222.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by looneymail-a1.g.dreamhost.com (Postfix) with ESMTP id E743515D798; Sun, 18 Apr 2010 21:18:28 -0700 (PDT)
Date: Mon, 19 Apr 2010 04:18:28 +0000
From: Ian Hickson <ian@hixie.ch>
To: "Thomson, Martin" <Martin.Thomson@andrew.com>
In-Reply-To: <8B0A9FCBB9832F43971E38010638454F03E7D0682D@SISPE7MB1.commscope.com>
Message-ID: <Pine.LNX.4.64.1004190404290.751@ps20323.dreamhostps.com>
References: <8B0A9FCBB9832F43971E38010638454F03E3F313ED@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004161940180.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D0678C@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004190009190.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D067A9@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004190159340.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D0682D@SISPE7MB1.commscope.com>
Content-Language: en-GB-hixie
Content-Style-Type: text/css
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] handshake security (was: Frame size)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 04:19:04 -0000
On Mon, 19 Apr 2010, Thomson, Martin wrote: > > > > The new handshake works around this (as described in the message > > above) by requiring that the server prove that it checked the > > handshake. In the scenario above, the server would fail to find the > > right information to create that proof; there is a much better chance > > that the author would then bail rather than continue trying to listen > > for further frames. > > Post mortem detection of the problem doesn't solve anything. If the > browser has sent the XHR blindly, the damage is done by the time that it > learns that the server is a dumb WS implementation. You can't go and > stuff the missiles back in their silos. The idea is not to make the client able to do anything, the idea is to make the server more likely to fail to get to the point where it is accepting frames without having checked that it's a Web Socket client. > If the server only looks for certain markers, then I imagine that an > SMTP message could trigger launch in the same fashion. It doesn't stop > the attack. I don't see how you could cause any privileged machine in this scenario to connect to the Web Socket server using SMTP. Could you elaborate on that? > What you are trying here is analogous to a qualification exam for server > implementers. If they can pass this test, then you assume that they're > smart enough not to make other silly mistakes. Not really. I have no doubt that most amateur programmers would have no more trouble with the handshake than anything else (it's pretty trivial, after all). However, to do the handshake correctly they need to collect the information. If they fail to collect the information, they can't send back the handshake. What I'm assuming is that if they can't send back the handshake, they won't just send back nothing and then look for frames. To help with this, in the case where they don't have the information, they'll likely also have to deal with a division by zero, which in many cases will effectively mean they ignore the frames (as their program will have crashed or at least failed in some non-trivial way). It's naturally possible for a programmer to fail to collect all the information, catch the division by zero, and _still_ go out of their way to look for frames and thus be vulnerable. There's only so much we can do. > That requires a little too much suspension of disbelief for me. It would be good to test the protocol to find out how often it is correctly implemented. Once their are some browser implementations of this handshake, I would like to see how a group of programmers from various backgrounds who have not been participating in this working group manage; this would give us real world data pointing out problem areas, whether there are areas prone to security problem that we had not considered, etc. > It's quite possible that any viable solution to that problem would be > more trouble than it's worth. (you know, there might be a business in > that...) Not sure what you mean. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
- Re: [hybi] Frame size Justin Erenkrantz
- [hybi] Frame size Thomson, Martin
- Re: [hybi] Frame size Roberto Peon
- Re: [hybi] Frame size Scott Ferguson
- Re: [hybi] Frame size Greg Wilkins
- Re: [hybi] Frame size Scott Ferguson
- Re: [hybi] Frame size Roberto Peon
- Re: [hybi] Frame size Ian Hickson
- Re: [hybi] Frame size Scott Ferguson
- Re: [hybi] Frame size Thomson, Martin
- Re: [hybi] Frame size Greg Wilkins
- Re: [hybi] Frame size Justin Erenkrantz
- Re: [hybi] Frame size Greg Wilkins
- Re: [hybi] Frame size Scott Ferguson
- Re: [hybi] Frame size Greg Wilkins
- Re: [hybi] Frame size Thomson, Martin
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] Frame size Ian Hickson
- Re: [hybi] Frame size Ian Hickson
- Re: [hybi] Frame size Thomson, Martin
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] Frame size Ian Hickson
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Thomson, Martin
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Thomson, Martin
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Ian Hickson
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] Frame size Anne van Kesteren
- Re: [hybi] Frame size Thomson, Martin
- Re: [hybi] handshake security (was: Frame size) Thomson, Martin
- Re: [hybi] Frame size Ian Hickson
- Re: [hybi] Frame size Scott Ferguson
- Re: [hybi] handshake security (was: Frame size) Ian Hickson
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] handshake security (was: Frame size) Thomson, Martin
- Re: [hybi] Frame size Scott Ferguson
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] handshake security (was: Frame size) Ian Hickson
- Re: [hybi] Frame size Greg Wilkins
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] Frame size Scott Ferguson
- Re: [hybi] Frame size Mike Belshe
- Re: [hybi] Frame size Jamie Lokier
- Re: [hybi] handshake security (was: Frame size) Jamie Lokier
- Re: [hybi] Frame size Lars Eggert
- Re: [hybi] Frame size Jamie Lokier