IETF Logo Mail Archive

Re: [hybi] Redesigning the Web Socket handshake

Maciej Stachowiak <mjs@apple.com> Wed, 03 February 2010 04:06 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 338053A694E for <hybi@core3.amsl.com>; Tue, 2 Feb 2010 20:06:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.088
X-Spam-Level:
X-Spam-Status: No, score=-106.088 tagged_above=-999 required=5 tests=[AWL=-0.089, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ST0EfXqzWlSk for <hybi@core3.amsl.com>; Tue, 2 Feb 2010 20:06:02 -0800 (PST)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 480543A6889 for <hybi@ietf.org>; Tue, 2 Feb 2010 20:06:02 -0800 (PST)
Received: from relay16.apple.com (relay16.apple.com [17.128.113.55]) by mail-out4.apple.com (Postfix) with ESMTP id 36D8E89E00CD for <hybi@ietf.org>; Tue, 2 Feb 2010 20:06:43 -0800 (PST)
X-AuditID: 11807137-b7bd4ae000000f0d-0a-4b68f653d90b
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay16.apple.com (Apple SCV relay) with SMTP id 72.3E.03853.356F86B4; Tue, 2 Feb 2010 20:06:43 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.86.222] by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0KX800441ZF6SV80@gertie.apple.com> for hybi@ietf.org; Tue, 02 Feb 2010 20:06:43 -0800 (PST)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <20100203024441.GR32743@shareable.org>
Date: Tue, 02 Feb 2010 20:06:42 -0800
Message-id: <67589E5D-C108-4141-B863-12CF74EC5AB5@apple.com>
References: <Pine.LNX.4.64.1002012305000.21600@ps20323.dreamhostps.com> <4B676E8C.70804@webtide.com> <Pine.LNX.4.64.1002020311030.3846@ps20323.dreamhostps.com> <4B679E2C.2080502@webtide.com> <FD440FEA-9F53-4F4C-8AA5-98B23318F0F7@apple.com> <20100203024441.GR32743@shareable.org>
To: Jamie Lokier <jamie@shareable.org>
X-Mailer: Apple Mail (2.1077)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: hybi@ietf.org
Subject: Re: [hybi] Redesigning the Web Socket handshake
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 04:06:03 -0000

On Feb 2, 2010, at 6:44 PM, Jamie Lokier wrote:

> Maciej Stachowiak wrote:
>> Did anyone really say that? Isn't mod_pywebsocket a proof that it is in fact possible: <http://code.google.com/p/pywebsocket/>?
> 
> Curious: Is it compliant?  I.e. does it reject requests which aren't
> matching the exact octets needed, and create a response which does
> match the exact octets needed?

I don;t actually know. Note that the spec does not require

> 
> Or does it just work without being WebSocket spec compliant?
> 
>> As far as I can tell, the WebSocket spec does not require special
>> hardcoded handling of the request handshake. It's totally allowed to
>> run it through a normal HTTP stack. In fact, it's totally allowed
>> for servers to do no checking of the client request handshake at
>> all, but that creates a security hole (possibility of violating
>> integrity of a WebSocket service with XDomainRequest, cross-site XHR
>> or cross-site form submission), one of the security holes we are
>> trying to fix.
> 
> Is it permitted to not check the client request and be WebSocket spec compliant?
> (Not just work, but be able to claim compliance.)

As far as I can tell, yes.

> 
>> FWIW I think my nonce proposal would allow doing this for the
>> response at no cost in security - getting your victim to echo back a
>> hash of an unpredictable nonce is so unlikely that there's no need to
>> count on newlines in the handshake.
> 
> hash(nonce) + regular HTTP would go through proxies.
> 
> Current proposal intentionally fails at compliant HTTP proxies, on port 80,
> doesn't it?

I think they would still fail because of the upgrade request. 

> (I'm wondering why the CORS check used for XmlHttpRequest is
> unsuitable, though.)

I think CORS might have a potential weakness too. But not quite the same as the vulnerabilities I'm worried about. WebSocket won't start transmitting actual messages until it sees the handshake, while XHR will transmit the message body without checking for an HTTP response first. However, it can only send cross-site what you can already send with forms, so it does not open any new attack surface.

> 
> Maybe we can take the nonce idea further: An "are you a WebSocket
> server that supports subprotocols X,Y,Z that I must have" check, where
> a WebSocket server that doesn't support X,Y,Z would fail it.  That'd
> be infinitely more reliable than HTTP's Expect mechanism, which relies
> on proactive implementation by server developers who sometimes don't,
> making it unusable.
> 
> If you like that idea, I'll describe how it would work.

I'm not sure I fully understand it from your description.

Regards,
Maciej

v2.29.0 | Report a Bug | By Email | System Status