IETF Logo Mail Archive

Re: [hybi] handshake security (was: Frame size)

Ian Hickson <ian@hixie.ch> Mon, 19 April 2010 04:18 UTC

Return-Path: <ian@hixie.ch>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01CDF28C0F3 for <hybi@core3.amsl.com>; Sun, 18 Apr 2010 21:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.812
X-Spam-Level:
X-Spam-Status: No, score=-0.812 tagged_above=-999 required=5 tests=[AWL=-0.627, BAYES_40=-0.185]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-TmIGQEKzRU for <hybi@core3.amsl.com>; Sun, 18 Apr 2010 21:18:50 -0700 (PDT)
Received: from looneymail-a1.g.dreamhost.com (caibbdcaaaaf.dreamhost.com [208.113.200.5]) by core3.amsl.com (Postfix) with ESMTP id 6B4C728C0FA for <hybi@ietf.org>; Sun, 18 Apr 2010 21:18:47 -0700 (PDT)
Received: from ps20323.dreamhostps.com (ps20323.dreamhost.com [69.163.222.251]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by looneymail-a1.g.dreamhost.com (Postfix) with ESMTP id E743515D798; Sun, 18 Apr 2010 21:18:28 -0700 (PDT)
Date: Mon, 19 Apr 2010 04:18:28 +0000
From: Ian Hickson <ian@hixie.ch>
To: "Thomson, Martin" <Martin.Thomson@andrew.com>
In-Reply-To: <8B0A9FCBB9832F43971E38010638454F03E7D0682D@SISPE7MB1.commscope.com>
Message-ID: <Pine.LNX.4.64.1004190404290.751@ps20323.dreamhostps.com>
References: <8B0A9FCBB9832F43971E38010638454F03E3F313ED@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004161940180.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D0678C@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004190009190.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D067A9@SISPE7MB1.commscope.com> <Pine.LNX.4.64.1004190159340.751@ps20323.dreamhostps.com> <8B0A9FCBB9832F43971E38010638454F03E7D0682D@SISPE7MB1.commscope.com>
Content-Language: en-GB-hixie
Content-Style-Type: text/css
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] handshake security (was: Frame size)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 04:19:04 -0000

On Mon, 19 Apr 2010, Thomson, Martin wrote:
> > 
> > The new handshake works around this (as described in the message 
> > above) by requiring that the server prove that it checked the 
> > handshake. In the scenario above, the server would fail to find the 
> > right information to create that proof; there is a much better chance 
> > that the author would then bail rather than continue trying to listen 
> > for further frames.
> 
> Post mortem detection of the problem doesn't solve anything.  If the 
> browser has sent the XHR blindly, the damage is done by the time that it 
> learns that the server is a dumb WS implementation.  You can't go and 
> stuff the missiles back in their silos.

The idea is not to make the client able to do anything, the idea is to 
make the server more likely to fail to get to the point where it is 
accepting frames without having checked that it's a Web Socket client.


> If the server only looks for certain markers, then I imagine that an 
> SMTP message could trigger launch in the same fashion.  It doesn't stop 
> the attack.

I don't see how you could cause any privileged machine in this scenario to 
connect to the Web Socket server using SMTP. Could you elaborate on that?


> What you are trying here is analogous to a qualification exam for server 
> implementers.  If they can pass this test, then you assume that they're 
> smart enough not to make other silly mistakes.

Not really. I have no doubt that most amateur programmers would have no 
more trouble with the handshake than anything else (it's pretty trivial, 
after all). However, to do the handshake correctly they need to collect 
the information. If they fail to collect the information, they can't send 
back the handshake. What I'm assuming is that if they can't send back the 
handshake, they won't just send back nothing and then look for frames. To 
help with this, in the case where they don't have the information, they'll 
likely also have to deal with a division by zero, which in many cases will 
effectively mean they ignore the frames (as their program will have 
crashed or at least failed in some non-trivial way).

It's naturally possible for a programmer to fail to collect all the 
information, catch the division by zero, and _still_ go out of their way 
to look for frames and thus be vulnerable. There's only so much we can do.


> That requires a little too much suspension of disbelief for me.

It would be good to test the protocol to find out how often it is 
correctly implemented. Once their are some browser implementations of this 
handshake, I would like to see how a group of programmers from various 
backgrounds who have not been participating in this working group manage; 
this would give us real world data pointing out problem areas, whether 
there are areas prone to security problem that we had not considered, etc.


> It's quite possible that any viable solution to that problem would be 
> more trouble than it's worth.  (you know, there might be a business in 
> that...)

Not sure what you mean.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

v2.23.0 | Report a Bug | By Email