IETF Logo Mail Archive

Re: [hybi] Handshake was: The WebSocket protocol issues.

Scott Ferguson <ferg@caucho.com> Fri, 08 October 2010 22:49 UTC

Return-Path: <ferg@caucho.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 713C63A697E for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 15:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.508
X-Spam-Level:
X-Spam-Status: No, score=-2.508 tagged_above=-999 required=5 tests=[AWL=0.091, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B9p+zX-wpaJt for <hybi@core3.amsl.com>; Fri, 8 Oct 2010 15:49:45 -0700 (PDT)
Received: from smtp111.biz.mail.mud.yahoo.com (smtp111.biz.mail.mud.yahoo.com [209.191.68.76]) by core3.amsl.com (Postfix) with SMTP id 824AA3A6974 for <hybi@ietf.org>; Fri, 8 Oct 2010 15:49:45 -0700 (PDT)
Received: (qmail 1466 invoked from network); 8 Oct 2010 22:50:44 -0000
Received: from [192.168.1.11] (ferg@66.92.8.203 with plain) by smtp111.biz.mail.mud.yahoo.com with SMTP; 08 Oct 2010 15:50:44 -0700 PDT
X-Yahoo-SMTP: L1_TBRiswBB5.MuzAo8Yf89wczFo0A2C
X-YMail-OSG: 4PxpODoVM1k4HjBFYXiafN8.c6nuIuk93GzPl6WoGqZEbTv kCq8QRhARZ0VXFdgdZQ0hjtAE.6MoK6iCSWrzRH_Gp.4aqUiXqr.MzfEGFM8 mGhm2crIHD8GM2u36aWQ6AN9K6tFRJd8wRsdOlas4YULNuU2NTMvnc7GsKJr p2VzFRTO50DNZgslXUSurDUr2WzrDZ.lyogrDzIlG.xpFuGAVg1U2rT690OE _RTnAWDJHbdpBddzioXuISJUEgPc5GafOeRNTJACF7cX4cVt82E7Ojscj7Yv _4LgjDY4DU3EwfLBDIzHPTb7QJIfHTBTbHVCWLs6rR6EetKmv3LS67qY-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4CAFA043.10101@caucho.com>
Date: Fri, 08 Oct 2010 15:50:43 -0700
From: Scott Ferguson <ferg@caucho.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <AANLkTikszM0pVE-0dpZ2kv=i=y5yzS2ekeyZxtz9N=fQ@mail.gmail.com> <AANLkTik9igUwoxVrktoBoZrPoUW=Tjh7HyVbGJgQYes-@mail.gmail.com> <9F595226-FA0A-4C38-A6D0-0F4214BD7D21@apple.com> <4CA4BE10.1010709@caucho.com> <AANLkTi=wKFnNOuM+U3fktAFRn3R5OZ7c6PR2W3EAy7tm@mail.gmail.com> <4CA53E6B.1040808@caucho.com> <AANLkTikOyvF5AHTf4sDD=rWmK2FTD6R6LaHa4KTqkbcm@mail.gmail.com> <4CA68098.8010404@caucho.com> <AANLkTinYhW9MnnM3tkbCWziePyM7mFUEteKhw5OGp-eS@mail.gmail.com> <AANLkTi=_ejOCNiM49VW5q05=H7-M0jzAvXvGaKM1b7mX@mail.gmail.com> <AANLkTimyJj+Jxz1Q6fLrQ8iosGkD+0shUh3=td+jX_Do@mail.gmail.com> <4CA772A1.2090808@caucho.com> <AANLkTi=nLixtxMEd4B58Zp5FRbquNX2C_=7gCf9BGGQs@mail.gmail.com> <4CABCBFA.6020100@caucho.com> <AANLkTi=5wbCXWpOtUQT1MndgCxt9gj6uR_3U=nONpjKc@mail.gmail.com> <4CABD11F.3060500@caucho.com> <AANLkTiksehiSp7DB17MBVBb457p6pN5E8vma6FHz1c9j@mail.gmail.com> <4CACA667.3040309@caucho.com> <4CAF9589.1060007@caucho.com> <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.c om>
In-Reply-To: <AANLkTinnnT5Oib7FvDdZF2q_WUT8=q8KNmfkfajE0Mor@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>
Subject: Re: [hybi] Handshake was: The WebSocket protocol issues.
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Oct 2010 22:49:46 -0000

Adam Barth wrote:
> On Fri, Oct 8, 2010 at 3:04 PM, Scott Ferguson <ferg@caucho.com> wrote:
>   
>> Scott Ferguson wrote:
>>     
>>> Adam Barth wrote:
>>>       
>>>> Consider, for example, a virtual hosting environment in which the
>>>> attacker can place PHP scripts on the server....  Now, the attacker can
>>>> complete the WebSocket handshake
>>>> because the PHP script can compute the HMAC and send the appropriate
>>>> response header.
>>>>         
>>> Proposed attack: Attack server S with the help of DNS (or hosted HTTP
>>> server.)
>>>
>>> You need to demonstrate a sequence of connections to make that attack work
>>> (without using a WebServer proxy or time travel). For discussion, I've
>>> granted you syntax, but you must still demonstrate your sequence of
>>> connections and propagation of the c-nonce and H to complete the attack.
>>>       
>> You still need to demonstrate a sequence of connections to make this attack
>> work because your attack appears impossible to complete using TCP as
>> currently described.
>>
>> At very minimum, you need to describe how the WebSocket connection from the
>> hijacked browser connects to both the HTTP (or DNS) server that computes the
>> hash, and to the target server S to complete the attack.
>>     
>
> The DNS server is the target server.
>   

Then please retract your more general claimed attack against server S 
using DNS/HTTP.

Let me repeat the important claim from your proposal (also quoted above):

> "Consider, for example, a virtual hosting environment in which the 
> attacker can place PHP scripts on the server....  Now, the attacker 
> can complete the WebSocket handshake because the PHP script can 
> compute the HMAC and send the appropriate response header."

Is the PHP server owned by the attacker also the target server S? If so, 
you need to make that restricted claim clear, because you've given the 
impression that the target server S is not owned by the attacker.

-- Scott

> Adam
>
>
>
>

v2.23.0 | Report a Bug | By Email