Re: [hybi] Extensibility mechanisms?
Adam Barth <ietf@adambarth.com> Thu, 22 July 2010 17:16 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF94A3A6842 for <hybi@core3.amsl.com>; Thu, 22 Jul 2010 10:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.359
X-Spam-Level:
X-Spam-Status: No, score=-1.359 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_33=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpJ5UZHHHWRA for <hybi@core3.amsl.com>; Thu, 22 Jul 2010 10:16:32 -0700 (PDT)
Received: from mail-ew0-f44.google.com (mail-ew0-f44.google.com [209.85.215.44]) by core3.amsl.com (Postfix) with ESMTP id 576973A681C for <hybi@ietf.org>; Thu, 22 Jul 2010 10:16:32 -0700 (PDT)
Received: by ewy22 with SMTP id 22so3354226ewy.31 for <hybi@ietf.org>; Thu, 22 Jul 2010 10:16:46 -0700 (PDT)
Received: by 10.213.4.207 with SMTP id 15mr2155653ebs.61.1279819006253; Thu, 22 Jul 2010 10:16:46 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id h34sm30630980qcm.2.2010.07.22.10.16.45 (version=SSLv3 cipher=RC4-MD5); Thu, 22 Jul 2010 10:16:45 -0700 (PDT)
Received: by gyg8 with SMTP id 8so960756gyg.31 for <hybi@ietf.org>; Thu, 22 Jul 2010 10:16:45 -0700 (PDT)
Received: by 10.100.134.8 with SMTP id h8mr2544941and.11.1279819004322; Thu, 22 Jul 2010 10:16:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.143.145 with HTTP; Thu, 22 Jul 2010 10:16:23 -0700 (PDT)
In-Reply-To: <AANLkTingCdW6aXjw2xVEuZ9L4RkT5dD2ncJtvrytQFbH@mail.gmail.com>
References: <AANLkTikkfdlUxQ0MGNvVQKa5gfovkGHWdCgyN9juKSQJ@mail.gmail.com> <4C462F9E.9030207@caucho.com> <Pine.LNX.4.64.1007212153110.7242@ps20323.dreamhostps.com> <AANLkTiku76oSucTNDFdwgsFBNFa_cCpC-YktTnMfX47-@mail.gmail.com> <4C479130.4020500@caucho.com> <AANLkTikLDjBP-Xs5t6TxmJuq4nG8jwThQ=n34B4cEmup@mail.gmail.com> <4C479CE4.6070805@caucho.com> <AANLkTims1er0Rbv0ysP4gRs1Kd0He8hapHeJ3nON=JQa@mail.gmail.com> <4C47C5B0.3030006@caucho.com> <AANLkTi=ND-FOH8OoD=TCbiyeSZ-h0LhxQBXN5w-2hfvj@mail.gmail.com> <20100722055452.GL7174@1wt.eu> <F412C956-038F-400D-A431-C42B4C7B829C@apple.com> <AANLkTingCdW6aXjw2xVEuZ9L4RkT5dD2ncJtvrytQFbH@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 22 Jul 2010 10:16:23 -0700
Message-ID: <AANLkTikbpbB4zsMtFs1j5i_Y2+w=g2QZKe1QUdU8XJU6@mail.gmail.com>
To: Mike Belshe <mike@belshe.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Extensibility mechanisms?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2010 17:16:33 -0000
On Thu, Jul 22, 2010 at 8:07 AM, Mike Belshe <mike@belshe.com> wrote: > BTW - Isn't the creation of this problem really because we allow arbitrary > UTF-8 written by the JS application? If we had a true framing layer (where > frames have headers, instead of allowing UTF-8), would these attacks be > real? Sadly, framing alone isn't sufficient. Consider a protocol like DNS-over-TCP that uses the following framing mechanism: 1) Read the first byte and interpret that as the size of the first frame. 2) Attempt to consume the frame. 3) If you fail to consume the frame, advance to the next frame and return to step (1). If you send an HTTP POST to a DNS server that's listening to TCP (which many do), the server will interpret the "P" in POST as the frame length. The server will ignore the first frame (because it's not properly formated) and then 80 bytes into the POST body and try again. Now, it just so happens that you can't use browser-generated HTTP POST requests to screw with a DNS server because every interesting DNS request must have a NULL byte in it somewhere (as far as I can tell), and there's no way to generate a POST body from a browser that contains a NULL byte (at least in Internet Explorer). In other browsers (e.g., Firefox), you can get this exact attack to work, except that Firefox blocks port 53, so they escape disaster by another means. The details aren't that important. What's important is that framing along is insufficient to protect again cross-protocol attacks because the other protocol might be using a different framing mechanism. By combining the two, you might be able to get the victim protocol to ignore whatever traps you put in the framing. > It seems to me that the simplest frame header would be sufficient to > prevent all of these attack vectors, but the frame headers could contain > nonces or whatever other security information is needed too. You should be suspicious whenever someone says XYZ can prevent all attack vectors. Of the people posting to this list, only Maciej and Ian seem to have sufficient respect for the subtleties of these security issues. > The reason I mention this is because as we look to using a TLS/NPN, we can > potentially get rid of the first round trip. There was a lot of support for > that idea within the group. But, we can *only* do so if we don't have JS > able to write directly to the socket. If JS is able to write UTF-8 to the > socket, then skipping the first round trip opens a security vulnerability as > depicted by Maciej & Adam here. The essential security property that we need from TLS+NPN is that the server agrees that it wants to talk web sockets (by agreeing that it's the next protocol) before we dump anything dangerous on the socket. You need at least one round trip to the server to get it's consent to receive attacker-controlled bytes. I don't see a way around that with our current tools. On Thu, Jul 22, 2010 at 9:36 AM, Scott Ferguson <ferg@caucho.com> wrote: > Actually, let me explain how the non-HTTP version was designed to handle > cross-protocol attacks, because I didn't explain the reasoning behind the > design in the draft. Your analysis is wildly optimistic and doesn't consider protocols like with framing mechanisms like DNS-over-TCP described above. You're just embarrassing yourself. Adam
- [hybi] Extensibility mechanisms? Justin Erenkrantz
- Re: [hybi] Extensibility mechanisms? Thomson, Martin
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? Justin Erenkrantz
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Justin Erenkrantz
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Extensibility mechanisms? Thomson, Martin
- Re: [hybi] Extensibility mechanisms? Roberto Peon
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Julian Reschke
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Julian Reschke
- Re: [hybi] Extensibility mechanisms? Martin J. Dürst
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- [hybi] HTTP is not a disaster. Was: Extensibility… Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? Jamie Lokier
- Re: [hybi] Extensibility mechanisms? Julian Reschke
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] HTTP is not a disaster. Was: Extensibi… Pieter Hintjens
- Re: [hybi] Extensibility mechanisms? Pieter Hintjens
- Re: [hybi] Extensibility mechanisms? Bjoern Hoehrmann
- [hybi] NAT reset recovery? Was: Extensibility mec… Markus.Isomaki
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] Extensibility mechanisms? Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Vladimir Katardjiev
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Vladimir Katardjiev
- [hybi] WebSocket, TLS and intermediaries Vladimir Katardjiev
- Re: [hybi] Extensibility mechanisms? Roberto Peon
- Re: [hybi] Extensibility mechanisms? Roberto Peon
- Re: [hybi] Extensibility mechanisms? Julian Reschke
- Re: [hybi] Extensibility mechanisms? Pieter Hintjens
- Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
- Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
- Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
- Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
- Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
- Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
- Re: [hybi] NAT reset recovery? Was: Extensibility… Greg Wilkins
- Re: [hybi] NAT reset recovery? Was: Extensibility… Vladimir Katardjiev
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
- Re: [hybi] NAT reset recovery? Was: Extensibility… Pieter Hintjens
- Re: [hybi] NAT reset recovery? Was: Extensibility… Thomson, Martin
- Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
- Re: [hybi] NAT reset recovery? Was: Extensibility… Thomson, Martin
- Re: [hybi] NAT reset recovery? Was: Extensibility… Vladimir Katardjiev
- Re: [hybi] NAT reset recovery? Was: Extensibility… Dave Cridland
- Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
- Re: [hybi] NAT reset recovery? Was: Extensibility… Markus.Isomaki
- Re: [hybi] NAT reset recovery? Was: Extensibility… Dave Cridland
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] NAT reset recovery? Was: Extensibility… Jamie Lokier
- Re: [hybi] WebSocket, TLS and intermediaries Ian Hickson
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] Extensibility mechanisms? John Tamplin
- Re: [hybi] Extensibility mechanisms? Roberto Peon
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? Jack Moffitt
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] WebSocket, TLS and intermediaries Mike Belshe
- Re: [hybi] WebSocket, TLS and intermediaries Maciej Stachowiak
- Re: [hybi] WebSocket, TLS and intermediaries John Tamplin
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] WebSocket, TLS and intermediaries Roberto Peon
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] WebSocket, TLS and intermediaries Roberto Peon
- Re: [hybi] Extensibility mechanisms? Roberto Peon
- Re: [hybi] WebSocket, TLS and intermediaries Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Thomson, Martin
- Re: [hybi] WebSocket, TLS and intermediaries Thomson, Martin
- Re: [hybi] Extensibility mechanisms? Jamie Lokier
- Re: [hybi] WebSocket, TLS and intermediaries Maciej Stachowiak
- Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
- Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
- Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
- Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
- Re: [hybi] Extensibility mechanisms? Willy Tarreau
- Re: [hybi] Extensibility mechanisms? Willy Tarreau
- Re: [hybi] Extensibility mechanisms? Roberto Peon
- Re: [hybi] WebSocket, TLS and intermediaries Julian Reschke
- Re: [hybi] Extensibility mechanisms? Simone Bordet
- Re: [hybi] Extensibility mechanisms? Simone Bordet
- Re: [hybi] WebSocket, TLS and intermediaries Maciej Stachowiak
- Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
- Re: [hybi] WebSocket, TLS and intermediaries Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Ian Hickson
- Re: [hybi] WebSocket, TLS and intermediaries Ian Hickson
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] WebSocket, TLS and intermediaries Mike Belshe
- Re: [hybi] WebSocket, TLS and intermediaries Greg Wilkins
- Re: [hybi] WebSocket, TLS and intermediaries Willy Tarreau
- Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] WebSocket, TLS and intermediaries Roberto Peon
- Re: [hybi] Extensibility mechanisms? Willy Tarreau
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Extensibility mechanisms? Willy Tarreau
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
- [hybi] Upgrade Mechanism and HasMat (was Re: Exte… Salvatore Loreto
- Re: [hybi] Extensibility mechanisms? Willy Tarreau
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Roy T. Fielding
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Salvatore Loreto
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Willy Tarreau
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Dave Cridland
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Willy Tarreau
- Re: [hybi] Extensibility mechanisms? Willy Tarreau
- Re: [hybi] Extensibility mechanisms? John Tamplin
- Re: [hybi] Extensibility mechanisms? Willy Tarreau
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Dave Cridland
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Dave Cridland
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? John Tamplin
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Maciej Stachowiak
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Adam Barth
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Extensibility mechanisms? Mike Belshe
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Roy T. Fielding
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … John Tamplin
- Re: [hybi] Extensibility mechanisms? Willy Tarreau
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Roy T. Fielding
- Re: [hybi] Extensibility mechanisms? Simon Pieters
- Re: [hybi] Extensibility mechanisms? Greg Wilkins
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Greg Wilkins
- Re: [hybi] Upgrade Mechanism and HasMat (was Re: … Maciej Stachowiak
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Jamie Lokier
- Re: [hybi] Extensibility mechanisms? Jamie Lokier
- Re: [hybi] Extensibility mechanisms? Jamie Lokier
- Re: [hybi] Extensibility mechanisms? Jamie Lokier
- Re: [hybi] Extensibility mechanisms? Adam Barth
- Re: [hybi] Extensibility mechanisms? Scott Ferguson
- Re: [hybi] WebSocket, TLS and intermediaries Patrick McManus